Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I have a database that is being used for a legacy project and I need to authenticate against it. Unfortunately the password is in MD5 hash. How can I authenticate against this in Laravel 5.5?
I dont think MD5 is been used by Laravel, I didnt really understand your question but I guess is that you have the hashed password and you dont know the password it self? is that right? If yes I'd hash a new password and edit it directly from the database.
I need to authenticate against the users table but the password is stored in MD5 hash. I know that Laravel doesn't use MD5 hash for auth but didn't know if there was some way to modify the auth to use it.
Its easy just type your password Hash::make("newPassword") in a route and get the hashed password and edit it as I said earlier. Dont forget to import the Hash class.
I wouldn't design the new application to only use MD5, but instead I'd create a transition plan so that as users log in their password will be migrated to a more secure hashing algorithm. This thread has some good advice.
I totally agree with @sutherland but if you still want a solution for your query, just override the attemptLogin() method in App\Http\Controllers\Auth\LoginController class like this:
use Illuminate\Http\Request;
/**
* Attempt to log the user into the application.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function attemptLogin(Request $request)
{
$user = \App\Models\User::where([
'email' => $request->email,
'password' => md5($request->password)
])->first();
if ($user) {
$this->guard()->login($user, $request->has('remember'));
return true;
}
return false;
}
You can change the namespace \App\Models\User to whatever you use to store models.
Hi @mushti,
Thanks for the code. I just gave it a try but it just brings me right back to the login page.
@twg_ You need to deprecate the use of those MD5 passwords as quickly as possible. Collisions are able to be quickly found using consumer hardware, which is a security risk for your application and your users.
If it’s not possible to implement bcrypt hashing and email your users asking them to change their password, then I’d create a custom user provider that:
This means the passwords in your database will be slowly migrated to the more secure bcrypt hashing algorithm and you can set a date as to when you stop authenticating using MD5-hashed passwords, i.e. any one who hasn’t logged in by that date is probably a delinquent user so resetting their password after all that time won’t be such an ordeal.
I would love to implement your idea but this database is used by two other internal apps that I can't modify so i can't change the password as it would then stop them from working.
Make sure the hashing algorithm used in the database is md5 by running this query:
SELECT * FROM `users` WHERE `email` = '[email protected]' AND `password` = MD5('helloworld');
Also add dd($user); after:
$user = \App\Models\User::where([
'email' => $request->email,
'password' => md5($request->password)
])->first();
dd($user);
...to see whether it fetches any user.
If I dd($user) after fetching them, I get the user's information.
I also dumped the result of $this->guard()->login($user, $request->has('remember')); and it was null.
Have a look at manual authentication documentation and see if that can help you now to start the user's session.
Please or to participate in this conversation.