How to deal with Hash::make(md5('password')) ?

I would force them to change the password.

Inform them by mail tht the need to do a password reset and link to the reset password page where they fill in their email and send them the reset link.

@devondahon Add this to your LoginController

/**
 * Attempt to log the user into the application.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return bool
 */
protected function attemptLogin(Request $request)
{
    $isPassed = $this->guard()->attempt($this->credentials($request), $request->filled('remember'));

    if (! $isPassed) {
        $user = User::where($username = $this->username(), $request->{$username})
            ->where('password', Hash::make(md5($request->password)))
            ->first();

        if ($user) {
            $user->password = Hash::make($request->password);

            $user->save();

            $this->guard()->login($user, $request->filled('remember'));

            return true;
        }
    }

    return $isPassed;
}

PSA: md5 is a hashing algorithm and not an “encryption” algorithm.

@michaloravec

Thank you very much for this answer, it looks great... but it doesn't seem to work. I made a test by generating a md5+bcrypt password with php artisan tinker:

>>> Hash::make(md5('foobar'))
=> "y$rE2iI4WBs6EsQqZ3SASlKezdH4FqskyYiCip3mJUhulyKWpws4ak."

And setting it directly to my PostgreSQL table:

UPDATE public.users SET
password = 'y$rE2iI4WBs6EsQqZ3SASlKezdH4FqskyYiCip3mJUhulyKWpws4ak.'::character varying WHERE
id = '12345';

but no user is found in if (!$isPassed) { }, I get an empty value for $user in my logs.

So, I was wondering how could this actually work:

$user = User::where($username = $this->username(), $request->{$username})
            ->where('password', Hash::make(md5($request->password)))
            ->first();

while Hash::make() always gives a different result for the same string ?

@martinbean I corrected my question, thanks for the clarification.

what about

    protected function attemptLogin(\Illuminate\Http\Request $request)
    {
        $isPassed = $this->guard()->attempt($this->credentials($request), $request->filled('remember'));

        if (! $isPassed) {
            $isPassed = $this->guard()->attempt(array_merge($this->credentials($request), ["password" => md5($request->input("password"))]), $request->filled('remember'));

            if ($isPassed) {
                $user = Auth::user();
                $user->password = Hash::make($request->password);

                $user->save();

                return true;
            }
        }

        return $isPassed;
    }

@kima That works perfect, thanks a lot!

@devondahon You said that you store password as Hash::make(md5('password'))

@kima Thanks for copying my post...

If it's only md5('password') then

/**
 * Attempt to log the user into the application.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return bool
 */
protected function attemptLogin(Request $request)
{
    $isPassed = $this->guard()->attempt($this->credentials($request), $request->filled('remember'));

    if (! $isPassed) {
        $user = User::where($username = $this->username(), $request->{$username})
            ->where('password', md5($request->password))
            ->first();

        if ($user) {
            $user->password = Hash::make($request->password);

            $user->save();

            $this->guard()->login($user, $request->filled('remember'));

            return true;
        }
    }

    return $isPassed;
}

I just changed Hash::make(md5('password')) to md5($request->password) from my previous post.

@michaloravec I tried this last method, but I could not sign in neither with bcrypt nor with md5+bcrypt password (I didn't check why). The method from @kima works perfectly fine, so I will stick to it for the moment. And again, thanks a lot for your answer which helped me a lot to understand the login process.

@devondahon It definitely has to work.

Anyway thanks @kima for copy my answer.