Hi!
A quick question: In Laravel docs for Authentication its recommended that the password column is at least 60 characters in length. How many characters can a password be before the hash reach 60 characters?
There are some users having problems logging in, and I can see that it is because Laravel cant decrypt the password, and I am suspecting that the whole hash isnt stored in the DB.
The hash should always be 60 characters long, no matter what you input as the password. You can have a 500 character paragraph as a password, but when hashed, it will always be 60 characters long.
Also, the password isn't encrypted so it's impossible to decrypt the password.
Okey, thanks. Is this also the case of bCrypt? Because I have a field that uses bCrypt, and I have had the same problem to this.
Yes, because Laravel uses bcrypt. :)
Internally, Laravel uses the password_hash() function with the PASSWORD_BCRYPT algorithm: http://php.net/manual/en/function.password-hash.php
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
Hmm.. On all records that cant be decrypted there is always a hash, not FALSE. Is there any characters that can create a "false" hash? It dont happen often, but there have been 3-4 issues over the last couple of months.
I'm not sure what you mean. Passwords cannot be decrypted because they are not encrypted.
Try showing us some code on how you are authenticating the users so we can see if there are any potential issues. Also, if you can, post the error message as well. At the moment, I'm not aware of any authentication bugs.
Sorry, I may have writted confusing. The last questions is not about passwords and authentication, its about a field that I am encrypting. It stores some sensitive information. Problem is, when viewing some records, Laravel cant decrypt the value (I'm using bcrypt and a try, catch). The record is showing an encrypted string, not FALSE, but its still not possible to decrypt it.
My question is; Is there any max number of characters that would make Laravel create a bigger string than the column can store (over 60)? Are there any characters that can break the encryption process?
Hopefully, these answer your questions.
You cannot decrypt anything because you hashed it. Hashing works one-way. If you want to encrypt and decrypt fields, then you would need to use another method aside from bcrypt.
No matter how long the password, the bcrypt hasher will always generate a 60-character string. Well, technically, in PHP, I believe the max length of a string is 2^31 - 1 (2GB), but pretty safe to say that that is not happening.
It should work fine with any characters.
@eriktobben Creating a cryptographic hash of something and encrypting something are completely different operations, don't mix them up.
A cryptographic hash is the result of a one-way function. It doesn't matter how long the input is, the output will have a fixed length. Therefor you cannot recreate the input from the output. To create a secure hash you can use the Hash facade or the global helper bcrypt().
Encrypting some input (the plaintext) will create encrypted output. Given the algorithm-specific key the input can be recreated from the output. You can use the Crypt facade to encrypt and decrypt data. bcrypt() cannot be used for this!
Both have different use cases. Use bcrypt() to create password hashes that you can safely store in your database. Use the Crypt facade to encrypt some kind of payload (e.g. a message) that you need to store safely but also present to the user as plaintext at some later point in time.
@skliche Hi! Sorry for my late response. I am talking about encrypting a payload. I have a field where a user can type in information that is encrypted in DB, and is decrypted again when viewed.
There are some cases where the try/catch fails, and after talking to the user, he informs me that it happened when he war typing in a larger number of characters. My question was; Will the encrypted string be longer when a larger payload is encrypted, or will it always have the same number of characters?
@eriktobben Encrypting data will generate a variable length output depending on the length of the payload. Use php tinker and try it out:
Crypt::encrypt("Hi");
Crypt::encrypt("Encrypting data will generate a variable length output depending on the length of the payload");
You can use decrypt to get the plaintext:
$encrypted = Crypt::encrypt("This is a test");
$plaintext = Crypt::decrypt($encrypted);
But keep something important in mind: The Crypt facade uses the encryption key set in config/app.php. You cannot decrypt something you encrypted on an installation that uses a different key.
You can test this with php tinker as well. Create two Laravel projects with different keys, let's call them project A and project B. Encrypt something with php tinker in project A and try to decrypt it with php tinker in project B.
That also means that you won't be able to decrypt anything if you loose that key.
And just to be really clear on this: You cannot use the bcrypt() helper function or the Hash facade for encryption/decryption.
Thank you for a great answer! It seems like I have to increase the number of characters my column holds :)
Please or to participate in this conversation.