You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Somewhat related to #20045 discussion, we could warn developers when they use unsafe encoder types. I'm thinking about something like this:
if (null !== $this->logger && 'plaintext' === $encoderType) {
$this->logger->warning('Storing user passwords in plain text is considered a critical security error. Consider configuring a password encoder for the "%s" entity.');
}
if (null !== $this->logger && in_array($encoderType, array('sha512', 'sha384', 'sha256', 'sha1', 'md5'))) {
$this->logger->warning('Encoding user passwords with "%s" algorithm is considered a bad security practice. Consider using "bcrypt" as the password encoder for the "%s" entity.');
}
If you like this idea, how and where could we log those warning messages? Thanks!
The text was updated successfully, but these errors were encountered:
Honestly I wouldn't like to see a warning like that in all my logs in production when I explicitly made the choice to use a such encoder. If it is tied to the debug flag of the environment why not, but it can't be enabled all the time.
To be more precise, a such feature in production would prevent me from using the warning log level at all (or at least without a dedicated log configuration). I'll have to silence it because a warning shouldn't happen and all warning must be investigate (not immediately unlike an error or a critical but it still have to)
Closing it because I no longer consider this a good idea. Our developers are not idiots (so they'll never use plaintext for real users) and if they use bad hashers (sha*) it's probably for a good reason (legacy apps, etc.) and anyway, we explain things well in the docs.
Somewhat related to #20045 discussion, we could warn developers when they use unsafe encoder types. I'm thinking about something like this:
If you like this idea, how and where could we log those warning messages? Thanks!
The text was updated successfully, but these errors were encountered: