fillable, hidden and guarded

Essentially, the only person that should be able to change the "is_admin" property is an admin, if the password wasn't fillable, they wouldn't be able to register.

both are wrong. a value that is not fillable can still be set directly, as in $user->password=x

@Snapey The thing is that we did not ask if "a value that is not fillable can still be set directly"... I asked about that even in registration we can add specific action for changing password so why not to add passwords to "guarded" attribute..

I agree, its open for question. I was replying to comments by @jaytee and someone else that has since removed their post.

I can't though think of a plausible exploit since it is not possible for an outsider to come up with a password that can work unless they also know the key for the hashing algorithm. Therefore, the best an attacker could do is create a denial of service to an individual user. Now, if this denial then leads to the user requesting a password reset, then the attacker might be able to then exploit some other vulnerability.

All three methods are essentially elequent only. Basically you're setting defaults to protect yourself.

Hidden will not return that column on an eloquent get query.

Fillable and guarded are essentially opposite of each other. Your "safe" with one or the other. Generally most just use fillable.

If you manually new up a class or use the db query builder you will bypass those methods but you should have everything set explicitly.

Both cases a user can't override with form or Ajax input.