Calling Developers!
We are reenergizing our code contribution process! Learn More

What are the Slack Archives?

It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

hello, why Spryker uses bcrypt as default hashing algorithm ? argon2 is a way stronger and supported

Options
U040VMZLRK6
U040VMZLRK6 Posts: 2 🧑🏻‍🚀 - Cadet
edited September 2022 in Slack General

hello, why Spryker uses bcrypt as default hashing algorithm ? argon2 is a way stronger and supported since php 7.3

Comments

  • Alberto Reyer
    Alberto Reyer Lead Spryker Solution Architect / Technical Director Posts: 690 🪐 - Explorer
    Options

    Under the hood the Symfony Password Hasher is used, which used BCrypt as a default.
    With the current version of Spryker Security Argon2 is used (Symfony changed the behavior to always use the best algorithm available).
    So seeing bcrypt as password algorithm is a historical thing in Spryker.

    You can set the algorithm to argon2 explicitly in https://github.com/spryker/customer/blob/7.42.0/src/Spryker/Zed/Customer/Business/Customer/Customer.php
    The main issue would be to migrate all your users to use the new algorithm as you will need their plain text password to encrypt it with a different algorithm.
    You could add a little bit code into \Spryker\Zed\Customer\Business\Customer\Customer::tryAuthorizeCustomerByEmailAndPassword to migrate passwords once a customer do a login.
    That will not migrate all your customers but at least those who are active over time.