Warn developers when they use unsafe hashers/encoders

[javiereguiluz]

Somewhat related to #20045 discussion, we could warn developers when they use unsafe encoder types. I'm thinking about something like this:

if (null !== $this->logger && 'plaintext' === $encoderType) {
    $this->logger->warning('Storing user passwords in plain text is considered a critical security error. Consider configuring a password encoder for the "%s" entity.');
}

if (null !== $this->logger && in_array($encoderType, array('sha512', 'sha384', 'sha256', 'sha1', 'md5'))) {
    $this->logger->warning('Encoding user passwords with "%s" algorithm is considered a bad security practice. Consider using "bcrypt" as the password encoder for the "%s" entity.');
}

If you like this idea, how and where could we log those warning messages? Thanks!

[Nicofuma]

Honestly I wouldn't like to see a warning like that in all my logs in production when I explicitly made the choice to use a such encoder. If it is tied to the debug flag of the environment why not, but it can't be enabled all the time.

To be more precise, a such feature in production would prevent me from using the warning log level at all (or at least without a dedicated log configuration). I'll have to silence it because a warning shouldn't happen and all warning must be investigate (not immediately unlike an error or a critical but it still have to)

[javiereguiluz]

Yes, it would only be for the dev environment.

[javiereguiluz]

Closing it because I no longer consider this a good idea. Our developers are not idiots (so they'll never use plaintext for real users) and if they use bad hashers (sha*) it's probably for a good reason (legacy apps, etc.) and anyway, we explain things well in the docs.