0

I am using sha512 as an encoder for passwords. Although the passwords are not recorded in the database using such encoder. For example, if the password is "123" it will be hashed (using sha512) as : 

3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2

However, actually that password is stored in the database that I have as following: iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3BNhPDoEA==

This is the code of the file security.yml that I have:

security:
firewalls:
    secured_area:

        pattern:    ^/
        anonymous: ~
        form_login:
            login_path:  /login
            check_path:  /login/check
            default_target_path: /home
            always_use_default_target_path: true
        logout:
            path:   /home/logout
            target: /login
        remember_me:
            key:      %secret%
            lifetime: 604800 
            path:     /
            domain:   ~


access_control:
    - { path: ^(?!/login), role: IS_AUTHENTICATED_FULLY }

providers:
    main:
        entity: { class: Ikproj\LoginBundle\Entity\User, property: username }

encoders:
    Ikproj\LoginBundle\Entity\User: sha512

And this is the code of the file User.php:

   <?php

namespace Ikproj\LoginBundle\Entity;
use Symfony\Component\Security\Core\User\UserInterface;

use Doctrine\ORM\Mapping as ORM;

/**
 * User
 *
 * @ORM\Table(name="user")
 * @ORM\Entity(repositoryClass="Ikproj\LoginBundle\Entity\UserRepository")
 */
class User implements UserInterface
{  
    /**
     * @var integer
     *
     * @ORM\Column(name="id_user", type="integer")
     * @ORM\Id
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    private $id;

    /**
     * @var string
     *
     * @ORM\Column(name="name", type="string", length=255)
     */
    private $name;

    /**
     * @var string
     *
     * @ORM\Column(name="username", type="string", length=255)
     */
    private $username;

    /**
     * @var string
     *
     * @ORM\Column(name="pseudo", type="string", length=255)
     */
    private $pseudo;

    /**
     * @var string
     *
     * @ORM\Column(name="password", type="string", length=255)
     */
    private $password;

    /**
     * @var string
     *
     * @ORM\Column(name="sexeuser", type="string", length=255)
     */
    private $sexeuser;

    /**
     * @var \Date
     *
     * @ORM\Column(name="dateanniv", type="date")
     */
    private $dateanniv;

    /**
     * Get id
     *
     * @return integer 
     */
    public function getId()
    {
        return $this->id;
    }

    /**
     * Set name
     *
     * @param string $name
     * @return User
     */
    public function setName($name)
    {
        $this->name = $name;

        return $this;
    }

    /**
     * Get name
     *
     * @return string 
     */
    public function getName()
    {
        return $this->name;
    }

    /**
     * Set username
     *
     * @param string $username
     * @return User
     */
    public function setUsername($username)
    {
        $this->username = $username;

        return $this;
    }

    /**
     * Get username
     *
     * @return string 
     */
    public function getUsername()
    {
        return $this->username;
    }

    /**
     * Set pseudo
     *
     * @param string $pseudo
     * @return User
     */
    public function setPseudo($pseudo)
    {
        $this->pseudo = $pseudo;

        return $this;
    }

    /**
     * Get pseudo
     *
     * @return string 
     */
    public function getPseudo()
    {
        return $this->pseudo;
    }

    /**
     * Set passWD
     *
     * @param string $passWD
     * @return User
     */
    public function setPassword($password)
    {
        $this->password = $password;

        return $this;
    }

    /**
     * Get passWD
     *
     * @return string 
     */
    public function getPassword()
    {
        return $this->password;
    }

    /**
     * Set sexeuser
     *
     * @param string $sexeuser
     * @return User
     */
    public function setSexeuser($sexeuser)
    {
        $this->sexeuser = $sexeuser;

        return $this;
    }

    /**
     * Get sexeuser
     *
     * @return string 
     */
    public function getSexeuser()
    {
        return $this->sexeuser;
    }

    /**
     * Set dateanniv
     *
     * @param \DateTime $dateanniv
     * @return User
     */
    public function setDateanniv($dateanniv)
    {
        $this->dateanniv = $dateanniv;

        return $this;
    }

    /**
     * Get dateanniv
     *
     * @return \DateTime 
     */
    public function getDateanniv()
    {
        return $this->dateanniv;
    }

    public function getRoles()
    {
        return array('ROLE_ADMIN');
    }

    public function getSalt()
    {
        return null;
    }

    public function eraseCredentials()
    {

    }

    public function equals(UserInterface $user)
    {
        return $user->getUsername() == $this->getUsername();
    }   
}

When I log in using the password "123", it works without any problem. I wonder how it accepts the password although it is not encoded in the correct form!!. So my questions are:

  1. why is the password "123" stored in database in such form?
  2. what is the encoding method used to obtain the following result: iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3BNhPDoEA==
  3. What is wrong in my code?

2 Answers2

2

By default, when selecting an algorithm, the default options are to iterate 5000 times using this algorithm, and then do a base64 encode on the result. This should explain the resulting string.

As to what is wrong with your code, I'm not sure what your actual problem is?

Gerry
  • 6,012
  • 21
  • 33
  • Well, do you have any idea how to convert the encoded password `iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3BNhPDoEA==` to the encoded password `3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2` ? .. By the way, I tried to figure out which encoding method was used to encode the password "123" and which provides this result `3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7ba613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2` but in vain. –  Dec 01 '14 at 13:10
  • Please have a look at this link: http://md5hashing.net/hash_type_checker#main](http://md5hashing.net/hash_type_checker#main) ... Then try to checkout this encoding password: `3c9909afec25354d551dae21590bb26e38d53f2173b8d3dc3eee4c047e7ab1c1eb8b85103e3be7b‌​a613b31bb5c9c36214dc9f14a42fd7a2fdb84856bca5c44c2` –  Dec 01 '14 at 13:13
  • Why are you trying to check it manually? Doing a base64_decode() would return to the original output of the hashing algorithm. Also `3c99..` would be the output of a SHA512 hash with only one iteration. – Gerry Dec 01 '14 at 15:06
  • Well, is it possible to decode `iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3B‌​NhPDoEA==` using base64 decoder in javascript? If yes, how? –  Dec 01 '14 at 15:25
  • @Nadim2014 That sounds like a terrible idea. Are you trying to do client-side password validation? – Gerry Dec 01 '14 at 15:38
  • Actually, I am trying to make a form through which a user can change his password, like what we find on Facebook. By the way, I tried to decode the encoded password `iOgyhdY1gJJPj7y7mMN8obgqMQZH2fLDuQuXfqZesC1Iqxo6iHxRuAA9m8E1ZUz76OIiPGTann7uJ3B‌​‌​NhPDoEA==` using base64 decoder but it didn't work. Could you tell me which decoder I should use to decode such password? –  Dec 01 '14 at 15:56
0

Try to iterate only once and disable the base64_encoding

try : security: encoders: Symfony\Component\Security\Core\User\User: algorithm: sha512 encode_as_base64: false iterations: 1

LordFailling
  • 1
  • 2