[RFC] Give back control of password hashing algorithm to app developer

**Description**  
(From https://github.com/symfony/symfony/issues/30914#issuecomment-518803478, https://github.com/symfony/symfony/issues/30914#issuecomment-518843060, https://github.com/symfony/symfony/issues/30914#issuecomment-518847109)

I think what's still very disturbing to me is that the app developer will completely lose control over which password hashing algorithm to use.

What's worse, if you have a scenario where you upgrade your PHP version / sodium extension and a new algorithm becomes supported, then if you rollback the app, the password would then fail to verify. There is no way to prevent this from happening if the app developer is forced to use `auto`.

TL;DR: `auto` is a good default, but choice is good (and sometimes necessary).

**Example**  
```yaml
encoders:
    App\Entity\User:
        algorithm: argon2id
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[RFC] Give back control of password hashing algorithm to app developer #33054

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[RFC] Give back control of password hashing algorithm to app developer #33054

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions