Password migration cutoff date
Set a **fixed** cutoff date to automatically disable legacy password (plain, MD5, PHPass, etc.) after a specific time, ensuring only modern hashes (see below) are accepted. You can provide any string (without quotes) that [DateTimeImmutable](https://www.php.net/manual/en/datetime.formats.php) can parse, e.g. `2026-01-01 00:00:00`.
Password algorithm
Supported values are: ``bcrypt`` (default), ``sodium``, ``argon2i``, ``argon2id`` |Algorithm|Description| |---------|---------| |`bcrypt`|It produces hashed passwords with the bcrypt password hashing function. Hashed passwords are 60 characters long, so make sure to allocate enough space for them to be persisted. | |`sodium`|It uses the Argon2 key derivation function. Argon2 support was introduced in PHP 7.2 by bundling the `libsodium` extension. Hashed passwords are 96 characters long, but this may change in the future, so make sure to allocate enough space for them to be persisted. Requires [sodium](https://www.php.net/manual/en/book.sodium.php) extension v1.0.14 or higher.| |`argon2i`|Use the Argon2i hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.| |`argon2id`|Use the Argon2id hashing algorithm to create the hash. This algorithm is only available if PHP has been compiled with Argon2 support.|
Password cost (4-31)
The algorithmic cost, it is an integer in the range of 4-31, default is `13`. Each single increment of the cost doubles the time it takes to hash a password. It's designed this way so the password strength can be adapted to the future improvements in computation power. If `0`, default is used.
Password time cost (>=3)
For ``argon2i`` or ``argon2id`` only. Maximum amount of time it may take to compute the Argon2 hash. Value must be >=3, default is `4`. If `0`, default is used.
Password memory cost (>=10)
For ``argon2i`` or ``argon2id`` only. Maximum memory that may be used to compute the Argon2 hash. Value must be >=10, default is `64`. If `0`, default is used.
**Notes** 1. Symfony multiplies the memory cost by `1024`, if you enter `64`, it means `64 * 1024`. 1. If [sodium](https://www.php.net/manual/en/book.sodium.php) extension is **installed**, [sodium_crypto_pwhash_str()](http://php.net/manual/en/function.sodium-crypto-pwhash-str.php) will be used, the `$memlimit` argument is in **bytes**, not in kibibytes. If you enter `64`, it means `64 * 1024` bytes only, so you may want to enter `65536` instead. 1. If [sodium](https://www.php.net/manual/en/book.sodium.php) extension is **not installed**, [password_hash()](https://www.php.net/manual/en/function.password-hash.php) will be used, the `memory_cost` option is in **kibibytes**. If you enter `64`, it means `64 * 1024` kibibytes.