Hashing
Introduction
The Laravel Hash
facade provides secure Bcrypt hashing for storing user passwords. If you are using the built-in LoginController
and RegisterController
classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.
Bcrypt is a great choice for hashing passwords because its "work factor" is adjustable, which means that the time it takes to generate a hash can be increased as hardware power increases.
Basic Usage
You may hash a password by calling the make
method on the Hash
facade:
<?php namespace App\Http\Controllers; use Illuminate\Http\Request;use Illuminate\Support\Facades\Hash;use App\Http\Controllers\Controller; class UpdatePasswordController extends Controller{ /** * Update the password for the user. * * @param Request $request * @return Response */ public function update(Request $request) { // Validate the new password length... $request->user()->fill([ 'password' => Hash::make($request->newPassword) ])->save(); }}
The make
method also allows you to manage the work factor of the bcrypt hashing algorithm using the rounds
option; however, the default is acceptable for most applications:
$hashed = Hash::make('password', [ 'rounds' => 12]);
Verifying A Password Against A Hash
The check
method allows you to verify that a given plain-text string corresponds to a given hash. However, if you are using the LoginController
included with Laravel, you will probably not need to use this directly, as this controller automatically calls this method:
if (Hash::check('plain-text', $hashedPassword)) { // The passwords match...}
Checking If A Password Needs To Be Rehashed
The needsRehash
function allows you to determine if the work factor used by the hasher has changed since the password was hashed:
if (Hash::needsRehash($hashed)) { $hashed = Hash::make('plain-text');}