Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

nikocraft's avatar

should I use bcrypt or Hash:make for password when I manually create a user

I need to manually create user and set password. I've seen couple of examples where Hash is used for example like this

$user = new App\User();
$user->password = Hash::make('12345');
$user->email = '[email protected]';
$user->save();

but Laravel uses bcrypt

    protected function create(array $data)
    {
        return User::create([
            'username' => $data['username'],
            'email' => $data['email'],
            'password' => bcrypt($data['password']),
        ]);
    }

they both have different output on the same input

Hash:

pass: $2y$10$7f7eoV0gjfZel4GLAC4AIOsy9x.Mg4u.q0rIl8AYEIeenJDqsxeYe

bcrypt:

pass: $2y$10$ZhYiZwPsT2KWPjRnIV1jjOiOEjYg280T8IMIG/WhIVTc8nVU1JMoC

Which one is correct to use?

0 likes
4 replies
Snapey's avatar

the answer will always be different, even if you just use bcrypt you won't get the same answer twice

1 like
nikocraft's avatar

ok thanks guys, one more follow up question.

When user tries to login and enters password how does Laravel compare this password to what is in database? It can't use bcrypt to get the hash and then compare that with database hash, so what does it do behind the scenes to compare the password entered and hash in databse?

MikeHopley's avatar
MikeHopley
9 years ago
Best Answer
Level 17

When user tries to login and enters password how does Laravel compare this password to what is in database?

It uses PHP's built-in password_verify() function.

How does it work? Magic. No seriously, magic. On topics of cryptography, you will at some point be forced to choose between two possibilities:

  • Accept that it's magic, and get on with your life
  • Become a professional cryptographer

Anyway, password_hash() returns different values each time because it appends a random string (a "salt") to the password. The salt is actually contained in the output hash.

If the same password is hashed with the same salt, you will always get the same output. Therefore password_verify() looks at the stored hash, extracts the salt, and then hashes the given password with that same salt.

9 likes

Please or to participate in this conversation.