Forgot password functionality - retrieve and mail - symfony2

Question

I want to implement the forgot password functionality. I don't want to change the password. Rather I simply want to mail the password to the provided email address.

But how can I get the decoded password and mail it to the email address?

All I have got till now from SO and other links is the password change process. I don't want that. I can't find any example regarding this. I'm using following encoder:

algorithm:        sha512
encode_as_base64: true
iterations:       1

Please help...

Answer 1

Short answer: You can't, and that is a VERY GOOD THING.

Hashes apply one-way only transformations in order to protect the original password. This is to protect the security of the password in the case of a security breach (computationally costly operations are required to find a hash collision). This is a mathematical property of a hash (sha512 is a hashing algorithm) and cannot be countered.

In fact, security auditors often verify that the reset password functionality of a website doesn't return the original password they set.

The only way to allow Symfony2 to do that would be to create your own encoder. However, not hashing your user's password would be a glaring security risk.

I would also recommend you increase the amount of iterations used to hash the password (to strengthen the hash) and/or switch to bcrypt. A fast hash is a bad hash.