Password security is enhanced by using a per-user salt on the hash and adding multiple iterations, making it slower (stretching). The MessageDigestPasswordEncoder implements all of this.
The blowfish-based BCrypt hashing has built-in support for all of these things as well. It has become a de-facto standard for salted +stretched hashing. It is available in PHP 5.3 through the crypt extension (included in the core): http://php.net/manual/en/function.crypt.php. It would be nice to have this as an option in Symfony2 -- or perhaps even as the default. * Possibly faster, since salting and iteration take place in C code. * Widely supported * Been around for a while Thoughts? BTW: I don't mind working on an implementation. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
