Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[RFC] Give back control of password hashing algorithm to app developer #33054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
teohhanhui opened this issue Aug 8, 2019 · 11 comments · Fixed by #34020
Closed

[RFC] Give back control of password hashing algorithm to app developer #33054

teohhanhui opened this issue Aug 8, 2019 · 11 comments · Fixed by #34020
Labels
Feature Security

Comments

@teohhanhui
Copy link
Contributor

Description
(From #30914 (comment), #30914 (comment), #30914 (comment))

I think what's still very disturbing to me is that the app developer will completely lose control over which password hashing algorithm to use.

What's worse, if you have a scenario where you upgrade your PHP version / sodium extension and a new algorithm becomes supported, then if you rollback the app, the password would then fail to verify. There is no way to prevent this from happening if the app developer is forced to use auto.

TL;DR: auto is a good default, but choice is good (and sometimes necessary).

Example

encoders:
    App\Entity\User:
        algorithm: argon2id
@mdeboer

This comment has been minimized.

Sign in to view
@teohhanhui
Copy link
Contributor Author

For some background on how this would be a problem, see #28093

@teohhanhui
Copy link
Contributor Author

For an alternative to auto, see:

https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/html5/#pe-dpe
https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/api/org/springframework/security/crypto/password/DelegatingPasswordEncoder.html
https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/api/org/springframework/security/crypto/factory/PasswordEncoderFactories.html#createDelegatingPasswordEncoder--

(from #31019 (comment))

@nicolas-grekas
Copy link
Member

How is this an alternative to auto? Spring recommends exactly the same as the new option to me.

@teohhanhui
Copy link
Contributor Author

@nicolas-grekas The difference with the DelegatingPasswordEncoder in Spring is that the app developer is in control of which algorithms are being used. The NativePasswordEncoder in Symfony does not provide that control.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Sep 4, 2019
edited
Loading

See MigratingPasswordEncoder, which is the one that you should compare DelegatingPasswordEncoder to.

@teohhanhui
Copy link
Contributor Author

teohhanhui commented Sep 4, 2019
edited
Loading

But which are the encoders we can use with MigratingPasswordEncoder, when they're all deprecated in favour of NativePasswordEncoder?

For example, I want to be able to use MigratingPasswordEncoder with argon2id as the "best" encoder, and argon2i and bcrypt as "extra" encoders. (Not a fictional but actual requirement.)

@stof
Copy link
Member

stof commented Sep 11, 2019

@nicolas-grekas MigratingPasswordEncoder is fine, but still does not give you control over the algorithm being used. It gives you control over the encoder being used, but our non-deprecated encoders are not about an algorithm, but about an implementation.

@romaricdrigon
Copy link
Contributor

I also think that using something else that auto should not trigger a deprecation warning.
On an application dealing with legacy users, you want to force the algorithm used.
I don't see why Symfony should care about your data, to the point of raising deprecation warnings (well, at least not if you are using a hashing algorithm considered safe).

@nicolas-grekas
Copy link
Member

Implementation wise, this should be a new constructor argument to native/sodium encoders.
Anyone up for a PR?

@nicolas-grekas nicolas-grekas added the Help wanted Issues and PRs which are looking for volunteers to complete them. label Sep 26, 2019
@chalasr
Copy link
Member

chalasr commented Oct 14, 2019

I'm on it.

@chalasr chalasr removed the Help wanted Issues and PRs which are looking for volunteers to complete them. label Oct 14, 2019
@chalasr chalasr mentioned this issue Oct 18, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] Allow to stick to a specific password hashing algorithm chalasr/symfony
7 participants
@nicolas-grekas @stof @teohhanhui @romaricdrigon @mdeboer @xabbuh @chalasr