Replace sha256 user password encoder with bcrypt

[eXtreme]

http://codahale.com/how-to-safely-store-a-password/
https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded
and so on...

security:
    encoders:
        Cantiga\CoreBundle\Entity\User:
-             algorithm: sha256
+             algorithm: bcrypt
-             encode_as_base64: true
-             iterations: 0
+             cost: 12

and of course, reset current user passwords.

Symfony already requires ircmaxell/password-compat package which provides password_hash, password_verify and password_needs_rehash for PHP < 5.5 but you can explicitly require it in your composer.json.

[eXtreme]

BTW. new article on that topic https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016 by php's notorious security advisor, also relevant for other languages