Lack of interest Allow Argon2 as password hashing algorithm

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
This suggestion has been closed. Votes are no longer accepted.
The password_hash function supports passing in a constant as its second argument to dictate which algo is used. The default value for this constant is PASSWORD_DEFAULT and the default value for that is (and I believe will remain to be) PASSWORD_BCRYPT.

https://wiki.php.net/rfc/argon2_password_hash

The above link seems to suggest that they were considering changing the default in PHP 7.4 but have since decided against it. Personally, I wonder whether they'd delay making it the default until PHP 8.0.

https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html

This link suggests that far from being standard, you actually need to compile PHP to specifically support it and install the necessary libraries.

Still a valid suggestion I just wanted to point out that it’s not something super simple that everyone will have by default in 7.2. Will definitely be worth keeping an eye out for though.
 
It's worth noting that we use PASSWORD_DEFAULT with password_hash() in XF2, so if the PHP default ever changed to something newer/better, hashes should automatically be updated when those users (explicitly) login again.
 
Chris D said:
The password_hash function supports passing in a constant as its second argument to dictate which algo is used. The default value for this constant is PASSWORD_DEFAULT and the default value for that is (and I believe will remain to be) PASSWORD_BCRYPT.

https://wiki.php.net/rfc/argon2_password_hash

The above link seems to suggest that they were considering changing the default in PHP 7.4 but have since decided against it. Personally, I wonder whether they'd delay making it the default until PHP 8.0.

https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html

This link suggests that far from being standard, you actually need to compile PHP to specifically support it and install the necessary libraries.

Still a valid suggestion I just wanted to point out that it’s not something super simple that everyone will have by default in 7.2. Will definitely be worth keeping an eye out for though.
Click to expand...

Didn't realise they pushed back the date.
 
I don't think they've pushed anything back. Argon2 support is coming in PHP 7.2 but it will not be the default (and was never planned to be, as far as I can tell).

The docs have something interesting on this point:
Note: Updates to supported algorithms by this function (or changes to the default one) must follow the following rules:
  • Any new algorithm must be in core for at least 1 full release of PHP prior to becoming default. So if, for example, a new algorithm is added in 7.5.5, it would not be eligible for default until 7.7 (since 7.6 would be the first full release). But if a different algorithm was added in 7.6.0, it would also be eligible for default at 7.7.0.
  • The default should only change in a full release (7.3.0, 8.0.0, etc) and not in a revision release. The only exception to this is in an emergency when a critical security flaw is found in the current default.
Click to expand...
So, although Argon2 will be supported, it wouldn't be considered as viable for the default until 7.3 at the earliest. The RFC document says they are no longer considering it for 7.4 so that would put it at 7.5 at the earliest.

However, we're slightly concerned after looking into a few things today. I think generally the expectation has been that the process of the default hashing algorithm changing should be transparent, hence why as Mike mentioned we did have it set to PASSWORD_DEFAULT. As it turns out, it would appear that the config we currently have for the PASSWORD_BCRYRPT algo wouldn't be forwards compatible with the new requirements for the PASSWORD_ARGON2I algo. So we've actually made a change so our authentication handler will only use PASSWORD_BCRYRPT for now. Once we have had an opportunity to test, we will explicitly add support for the new algorithm and handle that within our code rather than it just magically changing (and potentially breaking).

Though it's not necessarily bad news. It might mean we can support Argon2 earlier, if we don't have to wait until it becomes the default. It just means we can add conditionals in the code to detect support and use the best supported algo as needed.
 

Similar threads

elsparkodiablo
  • Question Question
XF 2.2 Way to display a userflag or banner if email & password has been updated recently?
Replies
2
Views
644
Christian P.
C
daytona4me
  • Question Question
XF 2.2 Password complexity? 2.2
Replies
3
Views
353
daytona4me
daytona4me
Jeffin
Password manager not able to login
Replies
0
Views
434
Jeffin
Jeffin
digitalpoint
Password-less login
Replies
16
Views
1K
PaulB
PaulB
AndyB
Fixed Password reset allowed using email of banned user
Replies
4
Views
1K
Chris D
Chris D
Top Bottom