@@ -270,20 +270,92 @@ Redirecting after Login
270
270
* ``target_path_parameter `` (type: ``string ``, default: ``_target_path ``)
271
271
* ``use_referer `` (type: ``Boolean ``, default: ``false ``)
272
272
273
+ .. _reference-security-pbkdf2 :
274
+
273
275
Using the PBKDF2 encoder: security and speed
274
276
--------------------------------------------
275
277
278
+ .. versionadded :: 2.2
279
+ The PBKDF2 password encoder was added in Symfony 2.2.
280
+
276
281
The `PBKDF2 `_ encoder provides a high level of Cryptographic security, as
277
282
recommended by the National Institute of Standards and Technology (NIST).
278
283
284
+ You can see an example of the ``pbkdf2 `` encoder in the YAML block on this page.
285
+
279
286
But using PBKDF2 also warrants a warning: using it (with a high number
280
287
of iterations) slows down the process. Thus, PBKDF2 should be used with
281
288
caution and care.
282
289
283
290
A good configuration lies around at least 1000 iterations and sha512
284
291
for the hash algorithm.
285
292
286
- .. _`PBKDF2` : http://en.wikipedia.org/wiki/PBKDF2
293
+ .. _reference-security-bcrypt :
294
+
295
+ Using the BCrypt Password Encoder
296
+ ---------------------------------
297
+
298
+ .. versionadded :: 2.2
299
+ The BCrypt password encoder was added in Symfony 2.2.
300
+
301
+ .. configuration-block ::
302
+
303
+ .. code-block :: yaml
304
+
305
+ # app/config/security.yml
306
+ security :
307
+ # ...
308
+ encoders :
309
+ Symfony\Component\Security\Core\User\User :
310
+ algorithm : bcrypt
311
+ cost : 15
312
+
313
+ .. code-block :: xml
314
+
315
+ <!-- app/config/security.xml -->
316
+ <config >
317
+ <!-- ... -->
318
+ <encoder
319
+ class =" Symfony\Component\Security\Core\User\User"
320
+ algorithm =" bcrypt"
321
+ cost =" 15"
322
+ />
323
+ </config >
324
+
325
+ .. code-block :: php
326
+
327
+ // app/config/security.php
328
+ $container->loadFromExtension('security', array(
329
+ // ...
330
+ 'encoders' => array(
331
+ 'Symfony\Component\Security\Core\User\User' => array(
332
+ 'algorithm' => 'bcrypt',
333
+ 'cost' => 15,
334
+ ),
335
+ ),
336
+ ));
337
+
338
+ The ``cost `` can be in the range of ``4-31 `` and determines how long a password
339
+ will be encoded. Each increment of ``cost `` *doubles * the time it takes to
340
+ encode a password.
341
+
342
+ If you don't provide the ``cost `` option, the default cost of ``13 `` is used.
343
+
344
+ .. note ::
345
+
346
+ You can change the cost at any time — even if you already have some
347
+ passwords encoded using a different cost. New passwords will be encoded
348
+ using the new cost, while the already encoded ones will be validated
349
+ using a cost that was used back when they were encoded.
350
+
351
+ A salt for each new password is generated automatically and need not be
352
+ persisted. Since an encoded password contains the salt used to encode it,
353
+ persisting the encoded password alone is enough.
354
+
355
+ .. note ::
356
+
357
+ All the encoded passwords are ``60 `` characters long, so make sure to
358
+ allocate enough space for them to be persisted.
287
359
288
360
HTTP-Digest Authentication
289
361
--------------------------
@@ -325,3 +397,4 @@ To use HTTP-Digest authentication you need to provide a realm and a key:
325
397
),
326
398
));
327
399
400
+ .. _`PBKDF2` : http://en.wikipedia.org/wiki/PBKDF2
0 commit comments