Cover of the book Symfony 5: The Fast Track

Symfony 5: The Fast Track is the best book to learn modern Symfony development, from zero to production. +300 pages in full color showing how to combine Symfony with Docker, APIs, queues & async tasks, Webpack, Single-Page Applications, etc.

Buy printed version
WARNING: You are browsing the documentation for Symfony 3.0 which is not maintained anymore. Consider upgrading your projects to Symfony 5.1.

How to Manually Encode a Password

3.0 version
Maintained Unmaintained

How to Manually Encode a Password


For historical reasons, Symfony uses the term “password encoding” when it should really refer to “password hashing”. The “encoders” are in fact cryptographic hash functions.

If, for example, you’re storing users in the database, you’ll need to encode the users’ passwords before inserting them. No matter what algorithm you configure for your user object, the hashed password can always be determined in the following way from a controller:

// whatever *your* User object is
$user = new AppBundle\Entity\User();
$plainPassword = 'ryanpass';
$encoder = $this->container->get('security.password_encoder');
$encoded = $encoder->encodePassword($user, $plainPassword);


In order for this to work, just make sure that you have the encoder for your user class (e.g. AppBundle\Entity\User) configured under the encoders key in app/config/security.yml.

The $encoder object also has an isPasswordValid method, which takes the User object as the first argument and the plain password to check as the second argument.


When you allow a user to submit a plaintext password (e.g. registration form, change password form), you must have validation that guarantees that the password is 4096 characters or fewer. Read more details in How to implement a simple Registration Form.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.