Symfony: BCryptPasswordEncoder without salt

Created on 2 Nov 2016  路  3Comments  路  Source: symfony/symfony

Hello symfony community. I don't understand why in BCryptPasswordEncoder don't use salt. Please can you give answer for this question, because security in my application is very important for me

https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php

if ($salt) { // Ignore $salt, the auto-generated one is always the best }

picture FRAGnatt

Most helpful comment

@FRAGnatt pelase don't say that. There's no incompetence at all. Your question is completely legit. I wondered the exact same thing when I saw Bcrypt for the first time :smile:

picture javiereguiluz on 2 Nov 2016
👍3

All 3 comments

The reason is that Bcrypt includes its own auto-generated salt. Besides, the salt is deprecated since PHP 7.0, as explained here: http://php.net/manual/en/function.password-hash.php

javiereguiluz picture javiereguiluz on 2 Nov 2016
👍2

Okay. Sorry for my incompetence. Thank you

FRAGnatt picture FRAGnatt on 2 Nov 2016

@FRAGnatt pelase don't say that. There's no incompetence at all. Your question is completely legit. I wondered the exact same thing when I saw Bcrypt for the first time :smile:

javiereguiluz picture javiereguiluz on 2 Nov 2016
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

meyerbaptiste picture meyerbaptiste  路  3Comments
wouterj picture wouterj  路  3Comments
davidbarratt picture davidbarratt  路  3Comments
ryan0x44 picture ryan0x44  路  3Comments
jpresley23 picture jpresley23  路  3Comments