Work with plain text password before salting and hashing (symfony 2)

Question

For the purpose of my application, I would like to be able to get the password of a user and work with it before saving it in database. I guess it doesn't sound very safe but what I would like to do is:

1. Get the plain text password and the salt

2. Build a string that is the inverse of what symfony store in database. For instance, let's say that symfony use the following algorythm to store data in database hash(password.salt), I would like to store somewhere the hash(salt.password). And to do so, I think I need to have the plain text password. I'll then use this newly calculated string as a key to some secure area of my application.

Thank you for your help.

Answer 1

Current password hash functions will not just add the salt before hashing, instead they do a lot of iterations and use the salt in each iteration. So you cannot just do it the other way round.

Actually what you have in mind is to generate a key out of the user password. There are functions which where created exactly for this purpose, they are called key-derivation functions. Well-known key-derivation functions are BCrypt and PBKDF2 (Password Based Key Derivation Function 2).

So in your case you would store the hash of the password in the database for authentication, but use a different salt to generate the key for encryption. This salt you have to store somewhere too, but not the key itself.