Custom SHA-256 Password

I am currently working on setting up a custom SHA-256 implementation for password handling. While the functionality works as expected for account registration, I encounter an issue during the login process, where the system returns an error indicating that the credentials are incorrect or do not match.

In the check() function $hashedValue returns as Resource id #

have i misunderstood how to implement to Hasher class? any tips are welcome

[2025-01-21 11:32:29] local.INFO: check {"value":"blablabla","hashedValue":"Resource id #7","hashedValueType":"string","hashedValueContent":"Resource id #7"}

app/Hashers/Sha256Hasher.php

<?php

namespace App\Hashers;

use Illuminate\Support\Facades\Log;
use Illuminate\Contracts\Hashing\Hasher;

class Sha256Hasher implements Hasher
{
    public function make($value, array $options = [])
    {
        return hash('sha256', $value);
    }

    public function check($value, $hashedValue, array $options = [])
    {
        Log::info('check', [
            'value' => $value,
            'hashedValue' => $hashedValue,
            'hashedValueType' => gettype($hashedValue),
            'hashedValueContent' => is_resource($hashedValue) ? stream_get_contents($hashedValue) : $hashedValue,
        ]);
        return hash('sha256', $value) === $hashedValue;
    }

    public function needsRehash($hashedValue, array $options = [])
    {
        return false;
    }

    public function info($hashedValue)
    {
        return [
            'algo' => 'sha256',
            'algoName' => 'sha256',
            'options' => [],
        ];
    }

    public function verifyConfiguration()
    {
        if (!extension_loaded('hash')) {
            throw new \RuntimeException('The hash extension is not available on your server.');
        }

        if (!in_array('sha256', hash_algos())) {
            throw new \RuntimeException('SHA-256 is not supported on this server.');
        }
    }
}

app/Providers/AppServiceProvider.php

<?php

namespace App\Providers;

use Illuminate\Support\Facades\Vite;
use Illuminate\Support\ServiceProvider;
use Illuminate\Support\Facades\Hash;
use App\Hashers\Sha256Hasher;

class AppServiceProvider extends ServiceProvider
{
    /**
     * Register any application services.
     */
    public function register(): void
    {
        //
    }

    /**
     * Bootstrap any application services.
     */
    public function boot(): void
    {
        // define password encrypt method
        $hashingDriver = config('hashing.driver', 'sha256');

        if ($hashingDriver === 'sha256') {
            Hash::extend('sha256', function () {
                return new Sha256Hasher();
            });
        }

        Vite::prefetch(concurrency: 3);
    }
}

config/hashing.php

<?php

return [

    'driver' => env('HASHING_DRIVER', 'sha256'),

    'bcrypt' => [
        'rounds' => 10,
    ],

    'argon' => [
        'memory' => 1024,
        'time' => 2,
        'threads' => 2,
    ],

    'argon2id' => [
        'memory' => 1024,
        'time' => 2,
        'threads' => 2,
    ],
    // 'custom' => [
    'sha256' => [
        'driver_class' => App\Hashers\Sha256Hasher::class,
        'options' => [],
    ],

];

martinbean

1 year ago

Level 80

@rakma Why are you trying to use a worse hashing algorithm than the one Laravel comes with out of the box (bcrypt)? Laravel obviously settled on bcrypt for a reason.

SHA256 is designed for speed. Speed is exactly what you don’t want when hashing something like passwords, as it means attackers can generate collisions much faster for SHA256-hashed passwords than bcrypt-hashed passwords. You’re basically making your application easier to hack.

1 like

Rakma

1 year ago

Level 2

@martinbean I completely agree with you on that. However, the game and the web project share the same database, it currently uses SHA-256 for password handling. For now, i need to get this to work. In the future, I'll revisit and improving the password handling for the game.

martinbean

1 year ago

Level 80

@Rakma What game? Why are you deliberately making your players’ accounts easier to hack?

If the Laravel app is the server, then all password hashing should be happening there. Games interacting with an API for account-related features are just a client; passwords should not be getting hashed in a client.

Rakma

1 year ago

Level 2

@martinbean I understand and completely agree with you that this approach is not as secure as bcrypt. However, I need to proceed with this solution to make progress on the task at hand. I appreciate your input!

Snapey

1 year ago

Level 122

How sure are you about the integrity of the $hashedValue? What if you hashed it twice?

Why not dump both values.

Rakma

1 year ago

Level 2

@Snapey i dumped both

[2025-01-23 15:23:18] local.INFO: check {"value":"redacted-plain-password","valueHashed":false,"hashedValue":"Resource id #8","options":[]}

  public function check($value, $hashedValue, array $options = [])
    {
        $test = $this->make($value, $options) === $hashedValue;

        Log::info('check', [
            'value' => $value,
            'valueHashed' => $test,
            'hashedValue' => $hashedValue,
            'options' => $options
        ]);

        return  $test;
        // return hash('sha256', $value) === $hashedValue;
    }

Please or to participate in this conversation.