You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think what's still very disturbing to me is that the app developer will completely lose control over which password hashing algorithm to use.
What's worse, if you have a scenario where you upgrade your PHP version / sodium extension and a new algorithm becomes supported, then if you rollback the app, the password would then fail to verify. There is no way to prevent this from happening if the app developer is forced to use auto.
TL;DR: auto is a good default, but choice is good (and sometimes necessary).
Example
encoders:
App\Entity\User:
algorithm: argon2id
julienfalque, apfelbox, dheineman, dmaicher, ro0NL and 17 more