Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit d9b2500

Browse filesBrowse files
mattattuimattattui
committed
Improve entropy of generated salt
Using a hash as a salt provides unnecessarily low entropy, especially when using Symfony's recommended password encoder (bcrypt) which truncates salt at 22 chars, giving only 16^22 bits entropy. Using base64 instead provides _up to_ 256^30 bits (256^16 to bcrypt). This change doesn't break compatibility with the built-in PasswordEncoderInterface implementations (message-digest, pbkdf2, bcrypt, plaintext), but it _might_ not work with some custom encoders if they've been assuming hexit salts. On balance I think it's fine since the commit this patches was only merged a few hours ago :D
1 parent 6b02541 commit d9b2500
Copy full SHA for d9b2500

File tree

Expand file treeCollapse file tree

1 file changed

+1
-1
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+1
-1
lines changed

‎src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ private function createSaltQuestion(InputInterface $input, OutputInterface $outp
153153
$container = $this->getContainer();
154154
$saltQuestion->setValidator(function ($value) use ($output, $container) {
155155
if ('' === trim($value)) {
156-
$value = hash('sha512', $container->get('security.secure_random')->nextBytes(30));
156+
$value = base64_encode($container->get('security.secure_random')->nextBytes(30));
157157

158158
$output->writeln("\n<comment>The salt has been generated: </comment>".$value);
159159
$output->writeln(sprintf("<comment>Make sure that your salt storage field fits this salt length: %s chars.</comment>\n", strlen($value)));

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.