I don't think this is worthwhile since it means less control of what is happening, and especially worse interoperability with non PHP clients which want to perform password checks. However, if you don't mind the drawbacks it's fairly easy to implement a crypt()-based password encoder.
Kind regards, Johannes On 17 Jan., 15:05, Igor Wiedler <[email protected]> wrote: > Password security is enhanced by using a per-user salt on the hash and > adding multiple iterations, making it slower (stretching). The > MessageDigestPasswordEncoder implements all of this. > > The blowfish-based BCrypt hashing has built-in support for all of > these things as well. It has become a de-facto standard for salted > +stretched hashing. It is available in PHP 5.3 through the crypt > extension (included in the core):http://php.net/manual/en/function.crypt.php. > It would be nice to have this as an option in Symfony2 -- or perhaps > even as the default. > > * Possibly faster, since salting and iteration take place in C code. > * Widely supported > * Been around for a while > > Thoughts? > > BTW: I don't mind working on an implementation. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
