PHP logo

PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the programming language's support for cryptography and password hashing algorithms.

Of all, the most significant change in PHP 7.2 is, by far, the support for Argon2, a password hashing algorithm [1, 2, 3] developed in the early 2010s and which won the Password Hashing Competition in 2015 [1, 2].

Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest.

Argon2 considered superior to Bcrypt

The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness.

Besides password hashing functions, the algorithm is also ideal for proof-of-work operations, used with modern electronic (crypto)currencies.

Starting with PHP 7.2, released on Thursday, Argon2 v1.3 has been added to the PHP core, and developers can use it via the password_hash() function.

// Argon2i with default cost factors
password_hash('password', PASSWORD_ARGON2I);

Mcrypt out, Libsodium in

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

This modification came after a suggestion made by Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises.

"Let's get rid of ext/mcrypt, which is abandonware and inhibits the growth of the language, as soon as humanly possible," Arciszewski wrote in early 2016.

"Libmcrypt hasn't been touched in eight years (last release was in 2007), leaving OpenSSL as the only viable option for PHP 5.x and 7.0 users," the expert also added. "Libsodium is a modern cryptography library that offers authenticated encryption, high-speed elliptic curve cryptography, and much more. Unlike other cryptography standards (which are a potluck of cryptography primitives; i.e. WebCrypto), Libsodium is comprised of carefully selected algorithms implemented by security experts to avoid side-channel vulnerabilities. "

Bleeping Computer had a chat with Mr. Arciszewski this past February about Libsodium's addition to PHP when work started on the early dev versions of the PHP 7.2 code. At the time, PHP became the first programming language to embed a modern cryptography library in its core distribution, instead of a plug-in.

Despite being the butt of all jokes in the programming world for the last decade, PHP has become quite faster and more secure since the release of version 7.x in late 2015.

UPDATE: An earlier version of this article referenced Scott Arciszewski as the creator of the Libsodium library. That is incorrect. Libsodium's author is Frank Denis. Bleeping Computer regrets the error.