In Symfony 4.3, it is recommended to use the auto option for encoding algorithm:
# config/packages/security.yaml
security:
# ...
encoders:
# use your user class name here
App\Entity\User:
# Use native password encoder
# This value auto-selects the best possible hashing algorithm.
algorithm: auto
My question is in regards to the comment in the code above: can the algorithm change if the "best possible" algorithm changes? If so, how will this affect the currently existing stored passwords?
Yes.
According to this comment about an issue on the Symfony Github repository:
[Security] 4.3 Always "Bad credentials." with algorithm "auto"
sodium can't validate bcrypt passwords, that's the issue. of course you can't move from sha512 to auto/native/sodium without a migration plan (one will be provide in 4.4)
I guess compatibility will be ensured by libsodium. So I suppose users whom password has been hashed with the previous "best possible" algorithm will be able to login, but their password will NOT be re-hashed with the new "best possible" algorithm.
As for passwords hashed with an algorithm not supported by libsodium (e.g. bcrypt), users will NOT be able to login if you don't tell Symfony which encoder to use for these users specifically.
See the getEncoderName() method at https://symfony.com/doc/current/security/named_encoders.html to learn how to juggle with multiple encoders and tell Symfony which one to use.