Updating password


We’re sorry but this documentation section is outdated. Please have that in mind when trying to use it. You can help us making documentation up to date via Sylius Github. Thank you!

In order to store user’s password safely you need to encode it and get rid of the plain password.


User component offers simple password updater and encoder. All you need to do is set the plain password on User entity and use updatePassword method on PasswordUpdater. The plain password will be removed and the encoded password will be set on User entity. Now you can safely store the encoded password. Example usage:

// src/script.php

// update this to the path to the "vendor/"
// directory, relative to this file
require_once __DIR__.'/../vendor/autoload.php';

use Sylius\Component\User\Model\User;
use Sylius\Component\User\Security\PasswordUpdater;
use Sylius\Component\User\Security\UserPbkdf2PasswordEncoder;

$user = new User();

$user->getPlainPassword(); // returns 'secretPassword'
$user->getPassword(); // returns null

// after you set user's password you need to encode it and get rid of unsafe plain text
$passwordUpdater = new PasswordUpdater(new UserPbkdf2PasswordEncoder());

// the plain password no longer exist
$user->getPlainPassword(); // returns null
// encoded password can be safely stored
$user->getPassword(); //returns 'notPredictableBecauseOfSaltHashedPassword'


The password encoder takes user’s salt (random, autogenerated string in the User constructor) as an additional input to a one-way function that hashes a password. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.