How do I replace Laravel’s Hash facade with symfony/password-hasher in my existing app?

Bind the `PasswordHasherInterface` in your `AppServiceProvider` using the `PasswordHasherFactory` with your configured algorithms. Override `Hash::make()` and `Hash::check()` calls to use the factory’s hasher. Example: `$this->app->bind(PasswordHasherInterface::class, fn($app) => (new PasswordHasherFactory($app['config']['password-hasher']))->getPasswordHasher('default'));`

Which algorithm should I use for Laravel 10+ applications—bcrypt, sodium, or Argon2id?

Use **Argon2id** for high-security needs (e.g., admin accounts) due to its memory-hard nature, **bcrypt** for general use (balance of security/performance), and **sodium** if available (requires `ext/sodium`). Avoid SHA-1/MD5. Configure via `PasswordHasherFactory` with cost parameters tuned for your server.

Can symfony/password-hasher detect and migrate legacy hashes (e.g., SHA-1) in my Laravel database?

Yes. Use `getPasswordHasherForUser($hash)` to auto-detect the algorithm. Gradually rehash legacy hashes on login or during batch jobs. The package won’t break existing bcrypt/Argon2id hashes. Audit for weak hashes with `str_starts_with($hash, '$2y$')` or regex patterns.

How does symfony/password-hasher integrate with Laravel Fortify or Passport for password resets/OAuth?

Bind the factory to Fortify’s `hashPassword()` or Passport’s `hashClientSecret()` via Laravel’s service container. Example: `Fortify::hashPassword(fn($password) => $hasher->hash($password))`. No changes to Fortify/Passport logic are needed—just replace the underlying hasher.

What are the performance implications of Argon2id vs. bcrypt in production Laravel APIs?

Argon2id is **slower** (CPU/memory-intensive) than bcrypt but more resistant to brute force. Benchmark with `symfony/password-hasher`'s built-in tests. For APIs, cache hashes if stateless (e.g., JWT) or use bcrypt for guests/Argon2id for admins via the factory.

Does symfony/password-hasher support Laravel’s `MustVerifyPassword` or `CanResetPassword` contracts?

Yes. The package works seamlessly with Laravel’s auth contracts. Hash verification via `verify()` aligns with `MustVerifyPassword::verifyPassword()`, and password resets via `CanResetPassword` use the same hasher instance. No contract modifications are required.

How do I handle Sodium availability issues in shared hosting environments?

Configure a fallback algorithm in `PasswordHasherFactory`. Example: `['default' => ['algorithm' => 'bcrypt'], 'sodium_fallback' => ['algorithm' => 'bcrypt']]`. Use `try-catch` around `getPasswordHasher('sodium')` to gracefully fall back. Check `extension_loaded('sodium')` in a pre-flight check.

Can I use symfony/password-hasher with Laravel 9.x, or is it Laravel 10+ only?

It works with **Laravel 9.x** but requires minor polyfills for Symfony 6+ dependencies. For Laravel 8.x, use `symfony/password-hasher:^5.4` with a compatibility layer. Test with `phpunit` to ensure no breaking changes in the auth pipeline.

What’s the best way to test symfony/password-hasher in Laravel’s authentication tests?

Mock the `PasswordHasherInterface` in PHPUnit tests using `createMock(PasswordHasherInterface::class)`. Verify `hash()` returns consistent outputs and `verify()` behaves for correct/incorrect passwords. Test edge cases like empty strings or very long passwords.

Are there alternatives to symfony/password-hasher for Laravel, and why should I choose this one?

Alternatives include `laravel/breeze` (basic bcrypt) or `phpass` (legacy). Choose `symfony/password-hasher` for **algorithm flexibility**, **NIST/OWASP compliance**, and **Laravel-native integration**. It’s battle-tested in Symfony, supports modern algorithms, and avoids vendor lock-in with a simple API.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Password Hasher Laravel Package

symfony/password-hasher

Symfony PasswordHasher provides secure password hashing and verification with modern algorithms like bcrypt and sodium. Use PasswordHasherFactory to configure multiple hashers and select the right one for your app’s needs.

View on GitHub

Deep Wiki

Context7

Provides password hashing utilities

Frequently asked questions about Password Hasher

How do I replace Laravel’s Hash facade with symfony/password-hasher in my existing app?: Bind the `PasswordHasherInterface` in your `AppServiceProvider` using the `PasswordHasherFactory` with your configured algorithms. Override `Hash::make()` and `Hash::check()` calls to use the factory’s hasher. Example: `$this->app->bind(PasswordHasherInterface::class, fn($app) => (new PasswordHasherFactory($app['config']['password-hasher']))->getPasswordHasher('default'));`
Which algorithm should I use for Laravel 10+ applications—bcrypt, sodium, or Argon2id?: Use **Argon2id** for high-security needs (e.g., admin accounts) due to its memory-hard nature, **bcrypt** for general use (balance of security/performance), and **sodium** if available (requires `ext/sodium`). Avoid SHA-1/MD5. Configure via `PasswordHasherFactory` with cost parameters tuned for your server.
Can symfony/password-hasher detect and migrate legacy hashes (e.g., SHA-1) in my Laravel database?: Yes. Use `getPasswordHasherForUser($hash)` to auto-detect the algorithm. Gradually rehash legacy hashes on login or during batch jobs. The package won’t break existing bcrypt/Argon2id hashes. Audit for weak hashes with `str_starts_with($hash, '$2y$')` or regex patterns.
How does symfony/password-hasher integrate with Laravel Fortify or Passport for password resets/OAuth?: Bind the factory to Fortify’s `hashPassword()` or Passport’s `hashClientSecret()` via Laravel’s service container. Example: `Fortify::hashPassword(fn($password) => $hasher->hash($password))`. No changes to Fortify/Passport logic are needed—just replace the underlying hasher.
What are the performance implications of Argon2id vs. bcrypt in production Laravel APIs?: Argon2id is **slower** (CPU/memory-intensive) than bcrypt but more resistant to brute force. Benchmark with `symfony/password-hasher`'s built-in tests. For APIs, cache hashes if stateless (e.g., JWT) or use bcrypt for guests/Argon2id for admins via the factory.
Does symfony/password-hasher support Laravel’s `MustVerifyPassword` or `CanResetPassword` contracts?: Yes. The package works seamlessly with Laravel’s auth contracts. Hash verification via `verify()` aligns with `MustVerifyPassword::verifyPassword()`, and password resets via `CanResetPassword` use the same hasher instance. No contract modifications are required.
How do I handle Sodium availability issues in shared hosting environments?: Configure a fallback algorithm in `PasswordHasherFactory`. Example: `['default' => ['algorithm' => 'bcrypt'], 'sodium_fallback' => ['algorithm' => 'bcrypt']]`. Use `try-catch` around `getPasswordHasher('sodium')` to gracefully fall back. Check `extension_loaded('sodium')` in a pre-flight check.
Can I use symfony/password-hasher with Laravel 9.x, or is it Laravel 10+ only?: It works with **Laravel 9.x** but requires minor polyfills for Symfony 6+ dependencies. For Laravel 8.x, use `symfony/password-hasher:^5.4` with a compatibility layer. Test with `phpunit` to ensure no breaking changes in the auth pipeline.
What’s the best way to test symfony/password-hasher in Laravel’s authentication tests?: Mock the `PasswordHasherInterface` in PHPUnit tests using `createMock(PasswordHasherInterface::class)`. Verify `hash()` returns consistent outputs and `verify()` behaves for correct/incorrect passwords. Test edge cases like empty strings or very long passwords.
Are there alternatives to symfony/password-hasher for Laravel, and why should I choose this one?: Alternatives include `laravel/breeze` (basic bcrypt) or `phpass` (legacy). Choose `symfony/password-hasher` for **algorithm flexibility**, **NIST/OWASP compliance**, and **Laravel-native integration**. It’s battle-tested in Symfony, supports modern algorithms, and avoids vendor lock-in with a simple API.

Popularity trends

Recorded values over time (once-a-day snapshots). May 8, 2026 – Jun 6, 2026

GitHub · stars

GitHub · forks

GitHub · watchers

Packagist · monthly downloads

View on GitHub

Stars

814

Favorites

818

Forks

Score

34.7

Score breakdown

Sum of components, capped 0–100. Halved if archived.

Stars

input: 814

+4.1
Forks

input: 4

+0.1
Open issues + PRs

input: 0

+0.0
Releases

input: 36

+10.8
Recency

input: 16

+19.1
Issue opportunity

input: 0

+0.0
Laravel News mentions

input: 0

+0.0
Dependents

input: 0

+0.0

Total 34.1

Opportunity

60.1

Opportunity score breakdown

Hidden gem signal × 0.65 + contribution need × 0.35, scaled by health factor.

Hidden gem

log(monthly_downloads / (stars + 1)) × 25

92.7
Contribution need

open_issues + open_prs: 0

0.0
Health factor

archived + recency + open issues

×0.99

Total 59.9

License

MIT

Last release

May 20, 2026

Watchers

Downloads

4M/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

hexters/coinpayment

rjcodes/rjcms

act-training/laravel-permissions-manager

alimarchal/laravel-chart-of-accounts

babenkoivan/elastic-scout-driver

mkwebdesign/filament-watchdog-v5

renatomarinho/laravel-page-speed

zedmagdy/filament-business-hours

renatovdemoura/blade-elements-ui

devgeek/beacon-admin

benjamin-rqt/data-watcher-bundle

atriumphp/atrium

sandermuller/package-boost-laravel

sandermuller/boost-skills

redaxo/core

yusufgenc/filament-api-forge

l3aro/rating-star-for-filament

leek/filament-subtenant-scope

anil/file-picker

broqit/fields-ai