From a5cb692236c102e287ebfbf8e83efaa58e239f63 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Sat, 21 May 2016 16:34:41 +0200
Subject: [PATCH] Added a note about "encoding vs. hashing" passwords

---
 book/security.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/book/security.rst b/book/security.rst
index acc2f90ad75..d0840794127 100644
--- a/book/security.rst
+++ b/book/security.rst
@@ -1148,6 +1148,12 @@ is defined by the ``target`` parameter above (e.g. the ``homepage``).
 Dynamically Encoding a Password
 -------------------------------
 
+.. note::
+
+    For historical reasons, Symfony uses the term *"password encoding"* when it
+    should really refer to *"password hashing"*. The "encoders" are in fact
+    `cryptographic hash functions`_.
+
 If, for example, you're storing users in the database, you'll need to encode
 the users' passwords before inserting them. No matter what algorithm you
 configure for your user object, the hashed password can always be determined
@@ -1319,4 +1325,5 @@ Learn More from the Cookbook
 
 .. _`online tool`: https://www.dailycred.com/blog/12/bcrypt-calculator
 .. _`frameworkextrabundle documentation`: https://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/index.html
+.. _`cryptographic hash functions`: https://en.wikipedia.org/wiki/Cryptographic_hash_function
 .. _`HWIOAuthBundle`: https://github.com/hwi/HWIOAuthBundle