CODEWITHSUNDEEP
phpauthenticationhashlaravel-4
Craftein
Craftein

Reputation: 762

Laravel 4.1 Hash::make inconsistency

I was trying to match hashed password from the database against password - hashed from the login form and it doesn't match no matter what.

Then I've done some consistency tests.

$password = Hash::make('secret');
echo $password;

I've been getting different results each time I refresh the page. Not like md5, it's consistent.

Am I missing something?

Or am I using/doing it wrong?

Why Hash::make produces inconsistent result with the same args?

Upvotes: 0

Views: 2435

Answers (2)

Mak Suriya Jacobsen
Mak Suriya Jacobsen

Reputation: 170

Validator::extend('old_password', function($attribute, $value, $parameters) {
    return Hash::check($value, Auth::user()->password);
});

$rules = array(
    'old_password' => 'required|old_password',
    'new_password' => 'required|confirmed'
);
$messages = array(
   'old_password' => 'wrong old password'
);
$validator = Validator::make($data = $input, $rules, $messages);

Upvotes: 0

Damien Pirsy
Damien Pirsy

Reputation: 25445

It's correct, and that's by design.

AFAIK, the function uses the password_hash() php function, and defaults to the PASSWORD_BCRYPT flag, which

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

That means a salt is automatically generated at each call, and inserted within the generated string, which contains: an identifier for the algo (in this case, $2y$), the iteration cost (defaults to 12), the hashed password, and the generated random salt.

That means, thus, everytime you hash your password a new salt is created, therefore the string will always be different - even if the password is the same. That's one of the strengths over a simple md5 hash without salt.

To check it, you use Hash::check(), which uses the password_verify() php function, which analyses the hash, guess the algo used, takes, the embedded salt, and can therefore check if the procedure, given the same starting conditions, creates an identical hash.

Edit

Indeed, this is the method (in Illuminate/Hashing/BcryptHasher)

 * Hash the given value.
 *
 * @param  string  $value
 * @param  array   $options
 * @return string
 */
public function make($value, array $options = array())
{
    $cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;

    $hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));

    if ($hash === false)
    {
        throw new \RuntimeException("Bcrypt hashing not supported.");
    }

    return $hash;
}

Upvotes: 2

Related Questions