Always rehashing with PHP7.2 (Argon2i vs Argon2id) #72
Comments
|
Libsodium switched to Argon2id by default in 1.0.15, which is unambiguously a good move. Halite pins its minimum to 1.0.13, which was the first version with Argon2id support. This change was one of the motivators in selecting 1.0.13 as the minimum. However, I somehow neglected to make the necessary changes to handle Argon2id in the code. Thanks for reporting this. I'll get a fix out ASAP. |
|
@paragonie-scott Wouldn’t this be easier if sodium had its own ‘needs rehash’ function? Or if there was some method to discover what the current hash mechanism is and what parameters it requires (based on its dependencies). |
|
I've tagged I'll get a working fix for 4.0.x soon for 1.0.13+ compatibility. |
|
v4.0.3 was released with the fix. |
and others
When moving towards PHP 7.2 and upgrading from
\Sodium::CONSTANTtowardsSODIUM_CONSTANT, I was noticing that the password hashing mechanism was changed from Argon2i to Argon2id. At first I thought that might be just my configuration, but I also see it on 3v4l.If this is not configuration, it means that Halite is always rehashing passwords in PHP7.2, because it counts on Argon2i. Or am I just missing something?
The text was updated successfully, but these errors were encountered: