Skip to content

Supported algorithms #3158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
TomCan opened this issue Nov 6, 2013 · 4 comments
Closed

Supported algorithms #3158

TomCan opened this issue Nov 6, 2013 · 4 comments
Labels
actionable Clear and specific issues ready for anyone to take them. good first issue Ideal for your first contribution! (some Symfony experience may be required) hasPR A Pull Request has already been submitted for this issue. Security

Comments

@TomCan
Copy link

TomCan commented Nov 6, 2013

This might sound stupid, but I just spent more than an hour figuring out why my custom entity provider wasn't working, although I (thought I) followed the entity provider tutorial.

The tutorial references the "Encoding the User's password" document, which uses a sha512 instead of the sha1 of the tutorial. Appearantly, I mixed up the two docs and ended up with the sha512 base64 encoded version instead of the sha1 non-base64 version. This doesn't fit the 40 bytes that is used for the password field so it get's truncated (which isn't logged anywhere), making the password mismatch when logging in. The solution was easy enough, but getting to it was the hard part.

I've searched the docs, but can't seem to find any reference to what algorithms are supported other than 'serveral built-in "encoders" ' or the plaintext, sha1 and sha512 used in the examples (and recently added pbkdf2 and bcrypt).If you're not a security expert (like me), it would be nice to have a human-readable summary (the Wikipedia page of most of these algorithms doesn't really make the average user happy) of the supported algorithms listing the key characteristics of the algorithms like strenght, tradeoffs, output format and -length. I'm quite sure the latter would have probably saved me quite some time ;)
@stof
Copy link
Member

stof commented Nov 6, 2013

Call hash_algos() to have the list of supported algorithms for the MessageDigestPasswordEncoder (the list depends on your PHP version).
On top of them, bcrypt, pbkdf2 and plaintext are supported through their own encoders.

@xabbuh
Copy link
Member

xabbuh commented Nov 6, 2013

This doesn't fit the 40 bytes that is used for the password field so it get's truncated (which isn't logged anywhere), making the password mismatch when logging in. The solution was easy enough, but getting to it was the hard part.

At least this was fixed recently (see #3141).

@wouterj
Copy link
Member

wouterj commented Dec 3, 2013

I suggest to add a .. tip:: block in the "Encoding the User's Password" section of the book article with some sort of a copy of the comment by @stof on this issue.

This was referenced Dec 14, 2013
Closed
Merged
@weaverryan
Copy link
Member

Hi guys!

With the new note added in #3325 and the lengthening of the password field that @xabbuh mentioned (#3141), I'm going to close this. Hopefully this will eliminate any issues.

Thanks @TomCan for the original report :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionable Clear and specific issues ready for anyone to take them. good first issue Ideal for your first contribution! (some Symfony experience may be required) hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@weaverryan @stof @wouterj @xabbuh @TomCan