Help me understand encoder of symfony with md5

[CosmicSnow]

Hi, I am porting a symfony app to a node.JS with moleculer.JS app,
but, I'm having a bad time understanding what the application is doing.

The symfony application is using algorithm: MD5, but the password in db is always looking like "/nr1C+zfhk3C0sNR1WoVTw=="

So, I don't get what is happening, can you please help me to understand the steps of encoding?

[romaricdrigon]

Could you please post your security.yml, encoders (or hashers) section?
MD5 is not recommended since quite a while ago (10 years ?), and was never the default as far I know, so you likely have some custom configuration. From the look of the encoded password, I have the impression it is base64 encoded.

[javiereguiluz]

@CosmicSnow if I understood you right, you expected hashed passwords to be $hashed = md5($plainPassword) but the actual value stored in the database is not that.

The reason is that Symfony doesn't simply perform a md5() of the plain password. It concatenates some strings and iterates several times to produce the final hashed password. The actual algorithm can be found here:

symfony/src/Symfony/Component/PasswordHasher/Hasher/MessageDigestPasswordHasher.php

Lines 51 to 70 in 488a46f

	public function hash(string $plainPassword, string $salt = null): string
	{
	if ($this->isPasswordTooLong($plainPassword)) {
	throw new InvalidPasswordException();
	}
	if (!\in_array($this->algorithm, hash_algos(), true)) {
	throw new LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
	}
	$salted = $this->mergePasswordAndSalt($plainPassword, $salt);
	$digest = hash($this->algorithm, $salted, true);
	// "stretch" hash
	for ($i = 1; $i < $this->iterations; ++$i) {
	$digest = hash($this->algorithm, $digest.$salted, true);
	}
	return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest);
	}

[CosmicSnow]

Oh thank you very much for you both @javiereguiluz @romaricdrigon,
Thanks to your information, I understood how the hash algorithm works, and from this, I found a solution on how to replicate it to nodejs!
https://stackoverflow.com/questions/55710514/how-to-duplicate-symfony-passwordencode-in-javascript

I pretend to migrate the hash to bcrypt, but can't do it right now, I must make it compatible with both hashes for around two months, then we will fully migrate to bcrypt.

and @romaricdrigon, unfortanely, the decision to use md5 wans't mine, it was from the last TI team working on the project, I know it's bad, and that's why we will migrate that hash type.

Thank you! :)

[faizanakram99]

It is easy to migrate old passwords to new password.

See this https://symfony.com/doc/current/security/password_migration.html