From d9b2500a20c79fed8a82cebe8f9139bb78e4b97d Mon Sep 17 00:00:00 2001
From: Matt Robinson <matt@inanimatt.com>
Date: Sun, 22 Mar 2015 21:27:19 +0000
Subject: [PATCH] Improve entropy of generated salt

Using a hash as a salt provides unnecessarily low entropy, especially when using Symfony's recommended password encoder (bcrypt) which truncates salt at 22 chars, giving only 16^22 bits entropy. Using base64 instead provides _up to_ 256^30 bits (256^16 to bcrypt).

This change doesn't break compatibility with the built-in PasswordEncoderInterface implementations (message-digest, pbkdf2, bcrypt, plaintext), but it _might_ not work with some custom encoders if they've been assuming hexit salts. On balance I think it's fine since the commit this patches was only merged a few hours ago :D
---
 .../SecurityBundle/Command/UserPasswordEncoderCommand.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
index 7a0746cba07f..6bb54825e756 100644
--- a/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
+++ b/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
@@ -153,7 +153,7 @@ private function createSaltQuestion(InputInterface $input, OutputInterface $outp
         $container = $this->getContainer();
         $saltQuestion->setValidator(function ($value) use ($output, $container) {
             if ('' === trim($value)) {
-                $value = hash('sha512', $container->get('security.secure_random')->nextBytes(30));
+                $value = base64_encode($container->get('security.secure_random')->nextBytes(30));
 
                 $output->writeln("\n<comment>The salt has been generated: </comment>".$value);
                 $output->writeln(sprintf("<comment>Make sure that your salt storage field fits this salt length: %s chars.</comment>\n", strlen($value)));