laravel/flarum change hash

erroras

How to change Bcrypt to Argon2?

luceos

erroras it would be better using passport server in laravel and the passport extension in Flarum. Flarum currently runs on Laravel 6, an upgrade to 8 is planned but not ready yet. Using SSO circumvents any dependency between these two apps. You will run into more issues if you try to load Flarum inside a Laravel codebase.

erroras

is it possible to change the bcrypt algorithm to crypt_blowfish ($2a$)?

askvortsov

erroras An extension could replace the hasher entirely via container bindings and the Service Provider extender, or listen into the CheckingPassword event (or use the password checker extender coming in beta 16, since the event will be deprecated) to apply more custom logic. Of course, replacing the hasher completely would break previously stored password hashes.

clarkwinkelmann

askvortsov replacing the hasher completely would break previously stored password hashes

Actually no. Since Argon2 is another hash supported by PHP. The hash value itself contains an identifier for the hash method used, and PHP will use that when calling password_verify. When using the base Laravel/PHP hasher, the selected algorithm merely applies to new hashes.

Same applies for the number of hashing rounds. If you change it, it applies to new hashes, but old hashes will still work and will not be updated automatically.

askvortsov

clarkwinkelmann Huh, I learned something today! Cool 😁

erroras

Will the beta version 16 change to Argon2?

tankerkiller125

erroras At this time we have no plans to change the hash algorithm that Flarum uses by default.

Bcrypt is still a very valid and safe hashing mechanism for passwords.

erroras

Well yes but I need argon2

clarkwinkelmann

erroras askvortsov described how it could be achieved using an extension askvortsov

If you don't have the knowledge to create an extension yourself, you could reach out to a developer to get it developed for you. This isn't a very complicated extension to do, particularly if the alternative hasher is just hard-coded in the extension.

A more advanced community extension could add a setting to the admin panel to choose between multiple hashers.