Introduction of Argon2 Password Hashing Algorithm with PHP 7.2

Globally PHP is accepted as one of the most enhanced and used server-side scripting languages and there are a plethora of CMS, CRM, Frameworks and more created on this wonderful language. Certainly having a PHP 7.0 with the fastest possible speed was a great deal.

The future seems to be even brighter and secure for PHP. PHP 7.2 is definitely way faster than the 5.X series and kudos to the PHP development team for creating such a sleek version. With that said, speed has been improved, and it’s time for improving security. They have opted for the Argon2 algorithm for password hashing.

Let’s talk about the background of the issues password-hashing algorithms have been facing and how Argon2 accommodates the resolution to the issues.

In 2014 when Password Hashing Competition started there were multiple problems that were being addressed.

1. Memory addressing: should it be input-dependent, input-independent, or hybrid
2. Memory Cost: Filling more memory or making more passes over the memory, which one is more robust?
3. Memory Block Size: What should be the large single memory block be considering the fact that the processing should not slow down due to the limited amount of long registers?
4. Parallelizing calls to the hashing: What would be the way to exploit multiple cores of current CPUs, as and when they are available?

The answer to these issues is more or less resolved by the Argon2 algorithm with their state of the art in the design of the memory-hard functions. The algorithm is simplistic and has two versions to address different issues. Argon2i and Argon2d.

Argon2i uses data-independent memory access. It is slower because it makes more passes over the memory to protect from tradeoff attacks. It is highly recommended for password hashing and password-based key derivation.

Argon2d used data-dependent memory access. It is faster is best suited for applications with no threats from side-channel attacks and also offers the highest resistance against GPU cracking attacks.

How are you going to access get benefits of this amazing algorithm using PHP 7.2?

Since PHP has only included the Argon2i version, there is a new constant defined for password hashing.
PASSWORD_ARGON2I
PASSWORD_ARGON2 – Alias of PASSWORD_ARGON2I

Subsequently, there are 3 more constants introduced, which are associated with the Argon2 algorithm.

1. Memory Cost: PASSWORD_ARGON2_DEFAULT_MEMORY_COST
   This defines the memory usage for the implementation of the algorithm.
2. Time Cost: PASSWORD_ARGON2_DEFAULT_TIME_COST
   Execution time for the algorithm to take the password and make all passes over the memory and protect it.
3. Threads: PASSWORD_ARGON2_DEFAULT_THREADS

Parallelization for the number of threads that can compute using the same algorithm

Argon2 is optimized for the x86 and x86_64 architecture. However, there is a minimal slowdown noticed on the older processors. We will certainly value Argon2 for its highest performance and ability to use multiple computational cores to protect tradeoff attacks.

The PHP team has done exceptional job with this and have also changed several functions like password_get_info(), password_verify(), password_hash(), password_needs_rehash().

It is definitely a celebrating moment for PHP Development Firms globally and for PHP Developers for upgrading their PHP version to a fast and much more secure version with the award-winning password hashing algorithms.

We shall look forward to your feedback on if there are any other algorithms that can serve better to PHP 7.2 and how. Please feel free to comment.