From 5fe1212df34842bedfe3c0bb200fa0125427725d Mon Sep 17 00:00:00 2001
From: Sebastiaan Stok <s.stok@rollerscapes.net>
Date: Wed, 3 Oct 2012 11:17:56 +0200
Subject: [PATCH] [Security] added new documentation about the PBKDF2 password
 encoder

---
 book/security.rst                    |  3 +++
 reference/configuration/security.rst | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/book/security.rst b/book/security.rst
index 3fb2b2ba27f..bec824c52b8 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -1200,6 +1200,9 @@ it as base64. In other words, the password has been greatly obfuscated so
 that the hashed password can't be decoded (i.e. you can't determine the password
 from the hashed password).
 
+.. versionadded:: 2.2
+    As of Symfony 2.2 you can also use the PBKDF2 password encoder.
+
 If you have some sort of registration form for users, you'll need to be able
 to determine the hashed password so that you can set it on your user. No
 matter what algorithm you configure for your user object, the hashed password
diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst
index e98da61f58f..d3bcc9c7f7d 100644
--- a/reference/configuration/security.rst
+++ b/reference/configuration/security.rst
@@ -55,6 +55,13 @@ Each part will be explained in the next section.
                     encode_as_base64:    true
                     iterations:          5000
 
+                # PBKDF2 encoder
+                Acme\Your\Class\Name:
+                    algorithm:            pbkdf2
+                    hash_algorithm:       sha512
+                    encode_as_base64:     true
+                    iterations:           1000
+
                 # Example options/values for what a custom encoder might look like
                 Acme\Your\Class\Name:
                     algorithm:            ~
@@ -189,6 +196,17 @@ Each part will be explained in the next section.
                 ROLE_ADMIN:      [ROLE_ORGANIZER, ROLE_USER]
                 ROLE_SUPERADMIN: [ROLE_ADMIN]
 
+.. caution::
+    PBKDF2 encoder uses the PBKDF2 (Password-Based Key Derivation Function 2).
+
+    Providing a high level of Cryptographic security,
+    as recommended by the National Institute of Standards and Technology (NIST).
+
+    But also warrants a warning, using PBKDF2 (with a high number of iterations) slows down the process.
+    PBKDF2 should be used with caution and care.
+    
+    A good configuration lies around at least 1000 iterations and sha512 for the hash algorithm.
+
 .. _reference-security-firewall-form-login:
 
 Form Login Configuration