I figured out Symfony 4.4 uses Libsodium (Sodium) as encoding method for passwords and falls back on Bcrypt when Sodium is not installed.
Is Sodium better than Bcrypt?
If so, why is it better? What is the difference?
1 Answer
I'm fairly new to password hashers as well, and I was wondering something similar myself, so here's what I found.
The documentation states the following:
Argon2i support is provided through the libsodium library, which selects the Argon2 variant (argon2d, argon2i or argon2id) automatically based on the host system.
So then it actually boils down to Argon2 vs Bcrypt.
Well here's an explanation (2018) on why you should use Argon2.
That being said, starting from Symfony 5.3, the "auto" password hasher is Bcrypt.
So you might think, why did they choose Bcrypt? Well if you check out this PR, it links to this tweet (2019), stating the following concerning Argon2:
It is weaker than bcrypt at runtimes < 1000 ms.
I assume they (those who reviewed PR and claim) think this statement/person is credible, BUT it is argued if the statement is actually correct and if there's any evidence to back up this claim. So for more information you can look at this thread (2021).
After reading through all of the above, I'd stick to Bcrypt for now.
-
So if I understand correctly. Its basicly a matter of what amount of MS your using? Below 1000ms bcrypt seems to do a better job and above Agron2 is better?– AllartCommented Jul 19, 2021 at 7:03
-
I'm not confident enough to say if that statement is entirely correct due to the controversy in the thread(s) mentioned above.– YTZCommented Jul 24, 2021 at 18:37
-
1Yes but you gave me enough info to decide for myself what is best. Maybe they aren't all facts but like you said "After reading through all of the above, I'd stick to Bcrypt for now.".– AllartCommented Jul 26, 2021 at 6:23