What is the password hashing algorithm in PHP Symphony Framework?

B

Bob Smith2014-02-14 14:38:58

symfony

Bob Smith, 2014-02-14 14:38:58

How are passwords hashed in the Symphony Framework?
The config contains md5 without a salt, but it looks like there is something extra: something more like base64 is stored in the database: a 24-byte string ending in ==.
For example, for password 123456, the database contains "aZa1mXKIjfg0XlFgGOaSUg==", while md5 for this password is "e10adc3949ba59abbe56e057f20f883e". I tried to decode this string from base64, got the hash "6996b59972888df8345e516018e69252". I tried to guess the password for this hash via https://crackstation.net/ - it didn't work.
The algorithm must be learned, because one database will have two systems with common users and data.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

G

gro, 2014-02-14
@gro

Like everything else in the symphony, this behavior is configurable, depend-injected, and modified to the point of impossibility.
https://github.com/symfony/symfony/tree/1fcc7c50e1...

S

Sergey, 2014-02-14
Protko @Fesor

you can implement your own password encoder. I suspect that md5 is calculated more than once (as in the case of sha512) to complicate the selection.

S

shagguboy, 2014-02-14
@shagguboy

Symfony\Component\Security\Core\Encoder
Supported algorithms for this method depend on your PHP version. A full list is available by calling the PHP function hash_algos.
New in version 2.2: As of Symfony 2.2 you can also use the PBKDF2 password encoder.
If you're using PHP 5.4 or lower, you'll need to install the ircmaxell/password-compat library via Composer in order to be able to use the bcrypt encoder: