Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.
- Argon2i requires PHP 7.2
- Argon2id requires PHP 7.3
We need to determine whether we want to wait for PHP 7.3 to get Argon2id, and determine algorithm parameters (memory cost, time cost and thread count).
Blocked on completion of T176370: Migrate to PHP 7 in WMF production.