[5.6] Add hashing configuration

[huguesjoyal]

When configuring hashing we should be able to manage the default settings.

The default configuration of argon is good for small systems but should be adjusted to target 0.5 sec to minimize the effect of make it harder to do a brute force attack.

The configuration file (hashing.php) should then have options to do that.

    /*
    |--------------------------------------------------------------------------
    | bcrypt options
    |--------------------------------------------------------------------------
    |
    | We could define the number of rounds the bcrypt algo will be using.
    |
    | The two digit cost parameter is the base-2 logarithm of the iteration
    | count for the underlying Blowfish-based hashing algorithmeter and must
    | be in range 04-31, values outside this range will cause crypt() to fail
    |
    | Default: 10
    */
    'bcrypt' => [
        'rounds' => 10
    ],

    /*
    |--------------------------------------------------------------------------
    | argon options
    |--------------------------------------------------------------------------
    |
    | These settings could be adjusted depending on your hardware.
    |
    | time: Maximum amount of time it may take to compute the Argon2 hash.
    |        (default: 2)
    |
    | memory: Maximum memory (in bytes) that may be used to compute the Argon2 hash
    |        (default : 1024)
    |
    | threads: Number of threads to use for computing the Argon2 hash
    |        (default : 2)
    |
    */
    'argon' => [
        'time' => 2,
        'memory' => 1024,
        'threads' => 2
    ]

[taylorotwell]

You can pass the options when hashing.

[huguesjoyal]

Yes sure we can, but when using the default laravel login / password and register it use the default configuration in the class which in case of argon is not strong enough to resist any brute force attack again a password list.

It think that including this in the configuration would be great instead of having to modify the Login/Register and change password controllers.

According the NCC Group trust slower === better in term of hashing for password protection.

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/

The following link display many possibility of configuration that could and should be use to slow the attack vector of scrypt and argon2.
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing/

[huguesjoyal]

Should I create a pull request for the configuration file (hashing.php) in the project laravel/laravel ?

[tillkruss]

@huguesjoyal: Can you please make a PR to the config/hashing.php on the laravel/laravel repo as well?