Skip to content

Documentation should not reference external BCrypt tool #5698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AndrewCarterUK opened this issue Sep 16, 2015 · 2 comments
Closed

Documentation should not reference external BCrypt tool #5698

AndrewCarterUK opened this issue Sep 16, 2015 · 2 comments
Labels
actionable Clear and specific issues ready for anyone to take them. good first issue Ideal for your first contribution! (some Symfony experience may be required) hasPR A Pull Request has already been submitted for this issue. Security

Comments

@AndrewCarterUK
Copy link

Currently the documentation suggests using this online tool to generate BCrypt hashes.

Although this tool may have been set up with the best of intentions - we have no way of proving that the operator is not farming the input BCrypt hashes (or that the service has not been compromised).

I think these references in the documentation should be removed, as it is not a good security practice to generate password hashes like this.
@stof
Copy link
Member

stof commented Sep 22, 2015

now that we have the commands to generate password hashes in Symfony 2.7+, we should recommend it instead of suggesting the online tool.

@xabbuh xabbuh added good first issue Ideal for your first contribution! (some Symfony experience may be required) actionable Clear and specific issues ready for anyone to take them. Security labels Sep 22, 2015
@xabbuh
Copy link
Member

xabbuh commented Sep 22, 2015

I agree with @stof. Additionally, we can add a warning on the 2.3 branch to address the concerns raised by @AndrewCarterUK.

This was referenced Dec 5, 2015
Closed
Closed
@wouterj wouterj added the hasPR A Pull Request has already been submitted for this issue. label Dec 5, 2015
xabbuh added a commit that referenced this issue Dec 9, 2015
@xabbuh
minor #5956 Update security.rst (mpaquet)
30f9dfa 
This PR was squashed before being merged into the 2.7 branch (closes #5956).

Discussion
----------

Update security.rst

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | 2.7+
| Fixed tickets | #5698

Commits
-------

e96416b Update security.rst
wouterj added a commit that referenced this issue Feb 6, 2016
@wouterj
minor #5958 Update security.rst (mpaquet)
543f5ce 
This PR was squashed before being merged into the 2.3 branch (closes #5958).

Discussion
----------

Update security.rst

| Q             | A
| ------------- | ---
| Doc fix?      | yes
| New docs?     | no
| Applies to    | <2.7
| Fixed tickets | #5698

Commits
-------

b4a950b Update security.rst
@wouterj wouterj closed this as completed Feb 6, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionable Clear and specific issues ready for anyone to take them. good first issue Ideal for your first contribution! (some Symfony experience may be required) hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stof @wouterj @xabbuh @AndrewCarterUK