Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit acb7a95

Browse filesBrowse files
javiereguiluzjaviereguiluz
committed
Merge branch '4.4' into 5.0
* 4.4: tweaking the password upgrading functionality
2 parents a6488fb + d81297e commit acb7a95
Copy full SHA for acb7a95

File tree

Expand file treeCollapse file tree

1 file changed

+16
-9
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+16
-9
lines changed

‎security/password_migration.rst

Copy file name to clipboardExpand all lines: security/password_migration.rst
+16-9Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,21 +5,20 @@ How to Migrate a Password Hash
55
==============================
66

77
In order to protect passwords, it is recommended to store them using the latest
8-
hash algorithms. This means that if a better hash algorithm is supported on the
9-
system, the user's password should be rehashed and stored. Symfony provides this
10-
functionality when a user is successfully authenticated.
11-
12-
To enable this, make sure you apply the following steps to your application:
8+
hash algorithms. This means that if a better hash algorithm is supported on your
9+
system, the user's password should be *rehashed* using the newer algorithm and
10+
stored. That's possible with the ``migrate_from`` option:
1311

1412
#. `Configure a new Encoder Using "migrate_from"`_
1513
#. `Upgrade the Password`_
1614
#. Optionally, `Trigger Password Migration From a Custom Encoder`_
1715

1816
Configure a new Encoder Using "migrate_from"
19-
--------------------------------------------
17+
----------------------------------------------
2018

21-
When configuring a new encoder, you can specify a list of legacy encoders by
22-
using the ``migrate_from`` option:
19+
When a better hashing algorithm becomes available, you should keep the existing
20+
encoder(s), rename it, and then define the new one. Set the ``migrate_from`` option
21+
on the new encoder to point to the old, legacy encoder(s):
2322

2423
.. configuration-block::
2524

@@ -30,6 +29,7 @@ using the ``migrate_from`` option:
3029
# ...
3130
3231
encoders:
32+
# an encoder used in the past for some users
3333
legacy:
3434
algorithm: sha256
3535
encode_as_base64: false
@@ -98,6 +98,13 @@ using the ``migrate_from`` option:
9898
],
9999
]);
100100
101+
With this setup:
102+
103+
* New users will be encoded with the new algorithm;
104+
* Whenever a user logs in whose password is still stored using the old algorithm,
105+
Symfony will verify the password with the old algorithm and then rehash
106+
and update the password using the new algorithm.
107+
101108
.. tip::
102109

103110
The *auto*, *native*, *bcrypt* and *argon* encoders automatically enable
@@ -106,7 +113,7 @@ using the ``migrate_from`` option:
106113
#. :ref:`PBKDF2 <reference-security-pbkdf2>` (which uses :phpfunction:`hash_pbkdf2`);
107114
#. Message digest (which uses :phpfunction:`hash`)
108115

109-
Both use the ``hash_algorithm`` setting as algorithm. It is recommended to
116+
Both use the ``hash_algorithm`` setting as the algorithm. It is recommended to
110117
use ``migrate_from`` instead of ``hash_algorithm``, unless the *auto*
111118
encoder is used.
112119

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.