Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Password Hasher
Assessments

Password Hasher Laravel Package

symfony/password-hasher

Symfony PasswordHasher provides secure password hashing and verification utilities. Configure multiple algorithms via PasswordHasherFactory (bcrypt, sodium/Argon2, etc.), hash plain passwords, verify hashes, and support upgrades with modern best practices.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Security Hardening: Enables compliance with NIST SP 800-63B, OWASP Top 10 (A03:2021), and GDPR Article 32 by replacing legacy or custom hashing with Argon2id, bcrypt, or Sodium-based algorithms. Mitigates risks from weak algorithms (e.g., SHA-1, MD5) or misconfigured bcrypt (e.g., low cost factors).
  • Tiered Security Architecture: Supports context-aware hashing (e.g., Argon2 for admin/API users, bcrypt for standard users) via PasswordHasherFactory, reducing attack surface without disrupting workflows. Aligns with zero-trust principles by applying stronger hashing to high-risk accounts.
  • Password Migration Strategy: The auto algorithm automatically upgrades hashes during login, eliminating manual database migrations when switching algorithms (e.g., from bcrypt to Argon2). Reduces downtime and user friction during security upgrades.
  • Build vs. Buy Decision: Avoids reinventing password security—a high-risk, high-compliance component—by leveraging Symfony’s security team’s expertise. Reduces technical debt, audit concerns, and long-term maintenance costs.
  • Future-Proofing: Aligns with PHP 8.4+ and Symfony’s roadmap, ensuring compatibility with modern Laravel projects (via adapter) and reducing vendor lock-in. Supports post-quantum cryptography readiness via algorithm swappability.
  • Performance Optimization: Allows tuning hashing parameters (e.g., Argon2’s memory cost, bcrypt’s rounds) to balance security and latency for high-traffic endpoints (e.g., login APIs, bulk user imports).
  • Legacy System Integration: Enables gradual migration from outdated hashes (e.g., SHA-1, plaintext) to modern algorithms without rewriting authentication logic. Supports hybrid hashing during transition periods.

When to Consider This Package

Adopt when:

  • Your Laravel project requires Argon2, Sodium, or custom bcrypt parameters beyond Laravel’s default Hash facade (e.g., for compliance or high-security use cases).
  • Security audits or compliance mandates (e.g., PCI DSS, GDPR, HIPAA) demand explicit control over hashing algorithms and parameters.
  • You need multi-algorithm support (e.g., tiered security for admin vs. standard users, legacy hash migration).
  • Your team lacks PHP security expertise and wants to avoid custom hashing implementations (a common source of vulnerabilities like OWASP A03:2021).
  • You’re migrating from legacy systems (e.g., SHA-1, plaintext) and need a phased upgrade path without disrupting users.
  • Performance tuning is required (e.g., adjusting Argon2’s memory cost for high-traffic APIs or reducing bcrypt rounds for low-risk accounts).
  • You anticipate future compliance requirements (e.g., post-quantum cryptography) and want algorithm flexibility.

Look elsewhere when:

  • Laravel’s default Hash facade (bcrypt) suffices for your security needs (no advanced algorithms or compliance requirements).
  • Your project is Symfony-native—this package is optimized for Symfony and requires an adapter for Laravel (adding complexity).
  • You prioritize minimal dependencies and Laravel’s built-in solution meets needs with zero integration overhead.
  • Your database schema cannot accommodate Argon2 hashes (requires VARCHAR(255) or larger for output).
  • Your team lacks resources to build/maintain a Laravel adapter or test edge cases (e.g., legacy hash compatibility, hybrid migration).
  • You’re building a low-security prototype (e.g., internal tools) where simplicity outweighs advanced hashing needs.

How to Pitch It (Stakeholders)

For Executives:

"This package eliminates a critical security gap by replacing ad-hoc password hashing with a standardized, audited solution compliant with NIST, OWASP, and GDPR. By adopting Argon2 for high-risk accounts (e.g., admins, APIs) and auto-migrating legacy hashes, we reduce breach liability from brute-force attacks—without disrupting users. The cost? A one-time engineering effort to integrate it with Laravel. The alternative? Risking a data breach from weak hashing and the PR nightmare that follows. This is a low-risk, high-reward security upgrade that aligns with our compliance roadmap and reduces long-term technical debt."

For Engineering:

*"For Laravel, we’d create a lightweight adapter to wrap Symfony’s PasswordHasherFactory, giving us:

  • Argon2 support (for compliance or admin accounts),
  • Multi-algorithm hashing (e.g., bcrypt for users, Sodium for APIs),
  • Automatic hash upgrades (no manual migrations),
  • Fine-grained control over hashing parameters (e.g., Argon2 memory cost).

The tradeoff? A one-time integration effort (~2–3 dev days) to bridge Symfony’s factory pattern with Laravel’s facade. If we stick with Laravel’s default, we’re limited to bcrypt and lack control over hashing—potentially violating compliance requirements. For projects needing advanced security, this is worth the cost. Alternatives? Rolling our own hashing (risky) or using a less maintained package (higher long-term cost)."*

For Security/Compliance Teams:

*"This package addresses three key risks:

  1. Weak algorithms: Replaces SHA-1/MD5 with Argon2id or bcrypt (NIST-compliant).
  2. Custom implementations: Eliminates homegrown hashing (OWASP A03:2021).
  3. Migration pain: The auto algorithm handles upgrades during login, reducing downtime.

It integrates with Laravel’s existing auth system and supports tiered security (e.g., stronger hashing for admins). The only caveat is ensuring your database can store Argon2 hashes (255+ chars). For any project handling sensitive data, this is a must-have to meet GDPR, PCI DSS, or HIPAA requirements."*

For Product Managers:

*"This decision impacts:

  • User trust: Stronger hashing reduces breach risks, improving brand reputation.
  • Compliance costs: Avoids fines from GDPR (€20M or 4% revenue) or PCI DSS violations.
  • Feature velocity: Enables tiered security for premium features (e.g., admin dashboards) without rewriting auth.
  • Tech debt: Eliminates future refactoring costs from legacy hashing vulnerabilities.

Tradeoffs:

  • Short-term: 2–3 dev days to integrate the adapter.
  • Long-term: Zero security incidents from weak hashing, faster compliance audits, and scalable security controls.

Recommendation: Prioritize this for high-risk products (e.g., fintech, healthcare) or if compliance deadlines are approaching."*

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
davejamesmiller/laravel-breadcrumbs
artisanry/parsedown
christhompsontldr/phpsdk
enqueue/dsn
bunny/bunny
enqueue/test
enqueue/null
enqueue/amqp-tools
milesj/emojibase
bower-asset/punycode
bower-asset/inputmask
bower-asset/jquery
bower-asset/yii2-pjax
laravel/nova
spatie/laravel-mailcoach
spatie/laravel-superseeder
laravel/liferaft
nst/json-test-suite
danielmiessler/sec-lists
jackalope/jackalope-transport