diff --git a/book/security.rst b/book/security.rst index 49719291d89..f132e8cbc7e 100644 --- a/book/security.rst +++ b/book/security.rst @@ -1358,6 +1358,15 @@ the password is simply run through the ``sha1`` algorithm one time and without any extra encoding. You can now calculate the hashed password either programmatically (e.g. ``hash('sha1', 'ryanpass')``) or via some online tool like `functions-online.com`_ +.. caution:: + + The above example is not meaned for practical usage, it uses a weak hash + algorithm and it is only done to be able to generate the password easily. Using + :ref:`BCrypt ` is a better option. + +.. versionadded:: 2.2 + The BCrypt encoder was introduced in Symfony 2.2. + If you're creating your users dynamically (and storing them in a database), you can use even tougher hashing algorithms and then rely on an actual password encoder object to help you encode passwords. For example, suppose your User @@ -1373,7 +1382,7 @@ configure the encoder for that user: # ... encoders: - Acme\UserBundle\Entity\User: sha512 + Acme\UserBundle\Entity\User: bcrypt .. code-block:: xml @@ -1381,7 +1390,7 @@ configure the encoder for that user: - + .. code-block:: php @@ -1390,20 +1399,17 @@ configure the encoder for that user: $container->loadFromExtension('security', array( // ... 'encoders' => array( - 'Acme\UserBundle\Entity\User' => 'sha512', + 'Acme\UserBundle\Entity\User' => 'bcrypt', ), )); -In this case, you're using the stronger ``sha512`` algorithm. Also, since -you've simply specified the algorithm (``sha512``) as a string, the system -will default to hashing your password 5000 times in a row and then encoding -it as base64. In other words, the password has been greatly obfuscated so -that the hashed password can't be decoded (i.e. you can't determine the password -from the hashed password). +In this case, you're using the strong ``bcrypt`` algorithm. This means that the +password has been greatly obfuscated so that the hashed password can't be +decoded (i.e. you can't determine the password from the hashed password). .. versionadded:: 2.2 As of Symfony 2.2 you can also use the :ref:`PBKDF2 ` - and :ref:`BCrypt ` password encoders. + password encoder. Determining the Hashed Password ............................... diff --git a/cookbook/security/entity_provider.rst b/cookbook/security/entity_provider.rst index e971a84e443..e88256564f0 100644 --- a/cookbook/security/entity_provider.rst +++ b/cookbook/security/entity_provider.rst @@ -252,9 +252,7 @@ then be checked against your User entity records in the database: security: encoders: Acme\UserBundle\Entity\User: - algorithm: sha1 - encode_as_base64: false - iterations: 1 + algorithm: bcrypt role_hierarchy: ROLE_ADMIN: ROLE_USER @@ -277,9 +275,7 @@ then be checked against your User entity records in the database: ROLE_USER @@ -302,9 +298,7 @@ then be checked against your User entity records in the database: $container->loadFromExtension('security', array( 'encoders' => array( 'Acme\UserBundle\Entity\User' => array( - 'algorithm' => 'sha1', - 'encode_as_base64' => false, - 'iterations' => 1, + 'algorithm' => 'bcrypt', ), ), 'role_hierarchy' => array( @@ -330,9 +324,9 @@ then be checked against your User entity records in the database: ), )); -The ``encoders`` section associates the ``sha1`` password encoder to the entity +The ``encoders`` section associates the ``bcrypt`` password encoder to the entity class. This means that Symfony will expect the password that's stored in -the database to be encoded using this algorithm. For details on how to create +the database to be encoded using this encoder. For details on how to create a new User object with a properly encoded password, see the :ref:`book-security-encoding-user-password` section of the security chapter.