In 2013, cryptographers and security practitioners around the world came together to create an open Password Hashing Competition (PHC) with the goal of selecting one or more password hash functions to be recognized as a recommended standard.
On July 20th, 2015 Argon2 that was designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from the University of Luxembourg was selected as the final PHC winner. Argon2 comes in the following three versions:
- Argon2d maximizes resistance to GPU cracking attacks.
- Argon2i is optimized to resist side-channel attacks. It accesses the memory array in a password independent order.
- Argon2id is a hybrid version. It follows the Argon2i approach for the first pass over memory and the Argon2d approach for subsequent passes.
With the release of PHP 7.2 in November of 2017, PHP now includes functions for both the
i version. However, the 2d is not suitable for password hashing.
Laravel 5.6 that is due out next month will now feature Argon2i password hashing support thanks to Michael Lundbøl, and you can find out how it’s implemented through the following pull request.
The old style of
bcrypt will continue to be supported and will remain the default, but if you are starting a new project then it might be worth considering using the Argon2i driver once Laravel 5.6 officially makes it release.