In 2013, Password Hashing Competition was announced to select one or more password hash functions that can be recognized as a recommended standard.
On July, 2015 Argon2 was selected as the winner of Password Hashing Competition. This hashing algorithm was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg. You can learn more about it on this Wikipedia article.
Argon2 has three variants: Argon2i, Argon2d, and Argon2id. You may look at the reference C implementation of Argon2 on Github.
Argon2d, Argon2i, and Argon2id are described as:
- Argon2d is faster and maximizes resistance against GPU attacks.
- Argon2i uses data-independent memory which is preferred for password hashing. Argon2i resists side-channel attacks.
- Argon2id is a hybrid of the two. It uses a combination of data-depending and data-independent memory accesses.
PHP 7.2 includes functions for both the Argon2d and Argon2i version. Argon2i is preferred for password hashing.
Laravel 5.6 will now include Argon2i password hashing support. You can look at the pull request by Michael Lundbøl to see its implementation.
bcrypt will continue to be supported and will remain as the default. If you are using PHP password_hash function, you can pass PASSWORD_ARGON2I as the second parameter and it will use Argon2i hashing algorithm to hash passwords.
You can start using Argon2i driver in your Laravel projects as soon as Laravel 5.6 is released officially.
