Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
minor #14018 [Security] Improve entropy of generated salt (inanimatt)
This PR was merged into the 2.7 branch. Discussion ---------- [Security] Improve entropy of generated salt | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a Using a hash as a salt provides unnecessarily low entropy, especially when using Symfony's recommended password encoder (bcrypt) which truncates salt at 22 chars, giving only 16^22 bits entropy. Using base64 instead provides _up to_ 256^30 bits (256^16 to bcrypt). This change doesn't break compatibility with the built-in PasswordEncoderInterface implementations (message-digest, pbkdf2, bcrypt, plaintext), but it _might_ not work with some custom encoders if they've been assuming hexit salts. On balance I think it's fine since the commit this patches was only merged a few hours ago :D Commits ------- d9b2500 Improve entropy of generated salt
- Loading branch information