Using MD5 in symfony2 security.yml for legacy users

Question

I have a legacy system which contains md5 hashed passwords. I have tested these to be correct and they do not use a salt.

security.yml

s         


        

Answer 1

I was having exactly the same problem and had to dig into the code to find out why.

You don't need to create a custom encoder.

By default, the MessageDigestPasswordEncoder encoder (Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder) in Symfony 2.5 - and possibly all Symfony 2 releases - calculates the MD5 hash of the raw password, with/without using a salt, as expected, and then re-hashes the MD5 a number of times (5000 times, by default, in Symfony 2.5). To make things that little bit more exciting, the encoder will also base64-encode the hash, by default. Both of those features were causing problems for me.

You can fix the problem(s) by disabling the re-hashing and/or disabling the base64 encoding, in security.yml, thus:

security:
    encoders:
        Namespace\Of\Your\User: 
            algorithm: md5
            encode_as_base64: false
            iterations: 0

Hope that saves you some time.