Level 80
@maxnb Laravel’s bcrypt() helper function just calls the hash service. They’re both the same:
https://github.com/laravel/framework/blob/5.3/src/Illuminate/Foundation/helpers.php#L182
11 likes
Nov 28, 2016
4
Level 8
should I use bcrypt or Hash:make for password when I manually create a user
I need to manually create user and set password. I've seen couple of examples where Hash is used for example like this
$user = new App\User();
$user->password = Hash::make('12345');
$user->email = '[email protected]';
$user->save();
but Laravel uses bcrypt
protected function create(array $data)
{
return User::create([
'username' => $data['username'],
'email' => $data['email'],
'password' => bcrypt($data['password']),
]);
}
they both have different output on the same input
Hash:
pass: $2y$10$7f7eoV0gjfZel4GLAC4AIOsy9x.Mg4u.q0rIl8AYEIeenJDqsxeYe
bcrypt:
pass: $2y$10$ZhYiZwPsT2KWPjRnIV1jjOiOEjYg280T8IMIG/WhIVTc8nVU1JMoC
Which one is correct to use?
Level 122
the answer will always be different, even if you just use bcrypt you won't get the same answer twice
1 like
Level 8
ok thanks guys, one more follow up question.
When user tries to login and enters password how does Laravel compare this password to what is in database? It can't use bcrypt to get the hash and then compare that with database hash, so what does it do behind the scenes to compare the password entered and hash in databse?
Level 17
When user tries to login and enters password how does Laravel compare this password to what is in database?
It uses PHP's built-in password_verify() function.
How does it work? Magic. No seriously, magic. On topics of cryptography, you will at some point be forced to choose between two possibilities:
- Accept that it's magic, and get on with your life
- Become a professional cryptographer
Anyway, password_hash() returns different values each time because it appends a random string (a "salt") to the password. The salt is actually contained in the output hash.
If the same password is hashed with the same salt, you will always get the same output. Therefore password_verify() looks at the stored hash, extracts the salt, and then hashes the given password with that same salt.
9 likes
Please or to participate in this conversation.