Level 10
What do you mean? You can't convert a hash to another hash
Jun 9, 2017
16
Level 2
How can I change Md5 Passwords to Bcrypt in Laravel 5.4?
I have tried several solutions online but nothing has worked.
I am pretty lost.
Level 16
You can't decrypt md5
Level 10
@alexhiggins sure you can, or bruteforce with rainbow tables, but not really a reliable solution.
@sufuninja if understand you correct you need to bcrypt the origin value. Normally you would ask every user to change password.
Level 16
Yeap - there's sites too, does not mean it's viable for what he's wanting to do
Level 2
Sorry, let me clarify.
I have a database with Md5 hashed passwords.
When a user logs in, I would like to auth first with Md5 (if old password) and upon success, rehash using bcrypt and save the new password.
Level 10
You mean this?
$user = User::where('username' => $username)->where('md5_password', md5($password)->firstOrFail();
$user->update(['bcrypt_password' => Hash::make($password)]);
Level 2
Where would something like that go? I using laravel's pre-built authentication controllers.
Level 10
There's a login event, maybe you can catch the password there: https://laravel.com/docs/5.4/authentication#events
Level 8
This is how I handled it:
I created a two new rows in the database, old_password, and password_updated (default false). I then wrote a seeder to copy the existing password into the old_password field, and then added this to my LoginControler
// check if account logging in for first time
// check against old md5 password, if correct, create bcrypted updated pw
$user = User::where('email', $request->input('email'))->first();
if (!$user->password_updated) {
if ($this->sqlPassword($request->input('password')) === $user->old_password) {
$user->password = bcrypt($request->input('password'));
$user->password_updated = 1;
$user->save();
} else {
return $this->sendLoginResponse($request);
}
}
Level 2
Thank all of you for the help. I have tried a few different approaches but every one seems to be missing just one step. I'll be back on it tomorrow.
@jlrdw , I read that thread but failed to find App\Auth\AuthController.
I wouldn't have reached out if my searches lead me to success.
Thanks again.
Level 122
In 5.4 the boiler plate auth controllers have been split up a bit.
The one you are interested in is Auth/LoginController
This uses the AuthenticatesUsers trait which can be found at vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php
Find the code you need to extend in there and duplicate it to your controller. It will then overload the trait method and you can edit it within your own app area
Level 8
@sufuninja to add more context to my previous answer and to go along with what @Snapey just said, I went to the file Snapey referenced (vendor/laravel/framework/src/Illuminate/Foundation/Auth/AuthenticatesUsers.php), copied the login function from it, pasted it into app/Http/Controllers/Auth/LoginController.php and made the following modifications there.
/**
* Overwrite default login method to help migrate viewers to using
* bcrypt encrypted passwords
*/
public function login(Request $request)
{
$this->validateLogin($request);
// If the class is using the ThrottlesLogins trait, we can automatically throttle
// the login attempts for this application. We'll key this by the username and
// the IP address of the client making these requests into this application.
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
// check if account logging in for first time
// check against old md5 password, if correct, create bcrypted updated pw
$user = User::where('email', $request->input('email'))->first();
if (!$user->password_updated) {
if ($this->sqlPassword($request->input('password')) === $user->old_password) {
$user->password = bcrypt($request->input('password'));
$user->password_updated = 1;
$user->save();
} else {
return $this->sendLoginResponse($request);
}
}
if ($this->attemptLogin($request)) {
return $this->sendLoginResponse($request);
}
// If the login attempt was unsuccessful we will increment the number of attempts
// to login and redirect the user back to the login form. Of course, when this
// user surpasses their maximum number of attempts they will get locked out.
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
Level 2
Thank all of you for your help and patience.
This is much more straight forward and simple than trying to make a custom provider, edit autoload, edit composer.json and on and on.
Level 2
Also, it didn't even occur to me that there might be overloading in PHP like there is in C#.
Level 4
I know that its an old post but i did this: copied login function from AuthenticatesUsers to LoginController and added
// check the md5 password and change md5 to bcrypt if the user was found
$user = User::where('email', $request->email)
->where('password',md5($request->password))
->first();
if (!empty($user->id)) {
$user->password = bcrypt($request->input('password'));
$user->save();
}
the login function in LoginController looks like that now:
/**
* Handle a login request to the application.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse
*/
public function login(Request $request)
{
// check the md5 password and change md5 to bcrypt if the user was found
$user = User::where('email', $request->email)
->where('password',md5($request->password))
->first();
if (!empty($user->id)) {
$user->password = bcrypt($request->input('password'));
$user->save();
}
$this->validateLogin($request);
// If the class is using the ThrottlesLogins trait, we can automatically throttle
// the login attempts for this application. We'll key this by the username and
// the IP address of the client making these requests into this application.
if ($this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
if ($this->attemptLogin($request)) {
return $this->sendLoginResponse($request);
}
// If the login attempt was unsuccessful we will increment the number of attempts
// to login and redirect the user back to the login form. Of course, when this
// user surpasses their maximum number of attempts they will get locked out.
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
Level 14
Hey All,
I just wanted to say thanks. I don't know if this is the best method for laravel 7, but it works great. I had the same issue. I needed to migrate users with md5 passwords to bcrypt. This was the simplest solution I found, although the code has slighly changed for the AuthenticatesUsers.php login function. Let me know if there is a better solution or method to accomplish this. I was looking into creating custom controller login etc, but that seemed like too much work. Then I was looking into mutators, but I need to learn more about how those work. I am a beginner.
The method I am currently using is a single column for password method. I have imported my old users into the database using the MD5 hashed passwords in the password column that is migrated with laravel. Then it converts that single value.
Same steps as others have mentioned open AuthenticatesUsers.php file and copy the login function into the LoginController.php
At the top of the file
add:
use Illuminate\Http\Request;
use App\User;
Then inside the login function include the method mentioned above:
// check the md5 password and change md5 to bcrypt if the user was found
$user = User::where('email', $request->email)
->where('password',md5($request->password))
->first();
if (!empty($user->id)) {
$user->password = bcrypt($request->input('password'));
$user->save();
}
Final File:
<?php
namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use App\User;
class LoginController extends Controller
{
/*
|--------------------------------------------------------------------------
| Login Controller
|--------------------------------------------------------------------------
|
| This controller handles authenticating users for the application and
| redirecting them to your home screen. The controller uses a trait
| to conveniently provide its functionality to your applications.
|
*/
use AuthenticatesUsers;
/**
* Where to redirect users after login.
*
* @var string
*/
protected $redirectTo = RouteServiceProvider::HOME;
/**
* Create a new controller instance.
*
* @return void
*/
public function __construct()
{
$this->middleware('guest')->except('logout');
}
/**
* Handle a login request to the application.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\Response|\Illuminate\Http\JsonResponse
*/
public function login(Request $request)
{
// check the md5 password and change md5 to bcrypt if the user was found
$user = User::where('email', $request->email)
->where('password',md5($request->password))
->first();
if (!empty($user->id)) {
$user->password = bcrypt($request->input('password'));
$user->save();
}
$this->validateLogin($request);
// If the class is using the ThrottlesLogins trait, we can automatically throttle
// the login attempts for this application. We'll key this by the username and
// the IP address of the client making these requests into this application.
if (method_exists($this, 'hasTooManyLoginAttempts') &&
$this->hasTooManyLoginAttempts($request)) {
$this->fireLockoutEvent($request);
return $this->sendLockoutResponse($request);
}
if ($this->attemptLogin($request)) {
return $this->sendLoginResponse($request);
}
// If the login attempt was unsuccessful we will increment the number of attempts
// to login and redirect the user back to the login form. Of course, when this
// user surpasses their maximum number of attempts they will get locked out.
$this->incrementLoginAttempts($request);
return $this->sendFailedLoginResponse($request);
}
}
Please or to participate in this conversation.