Introduction
The Laravel Hash
facade
provides secure Bcrypt and Argon2 hashing for storing user passwords. If
you are using the built-in LoginController
and
RegisterController
classes that are included with your
Laravel application, they will use Bcrypt for registration and
authentication by default.
Tip!! Bcrypt is a great choice for hashing passwords because its "work factor" is adjustable, which means that the time it takes to generate a hash can be increased as hardware power increases.
Configuration
The default hashing driver for your application is configured in the
config/hashing.php
configuration file. There are currently
three supported drivers: Bcrypt and Argon2 (Argon2i and
Argon2id variants).
Note: The Argon2i driver requires PHP 7.2.0 or greater and the Argon2id driver requires PHP 7.3.0 or greater.
Basic Usage
You may hash a password by calling the make
method on
the Hash
facade:
<?php
namespace App\Http\Controllers;
use App\Http\Controllers\Controller;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
class UpdatePasswordController extends Controller
{
/**
* Update the password for the user.
*
* @param Request $request
* @return Response
*/
public function update(Request $request)
{
// Validate the new password length...
$request->user()->fill([
'password' => Hash::make($request->newPassword)
])->save();
}
}
Adjusting The Bcrypt Work Factor
If you are using the Bcrypt algorithm, the make
method
allows you to manage the work factor of the algorithm using the
rounds
option; however, the default is acceptable for most
applications:
$hashed = Hash::make('password', [
'rounds' => 12,
]);
Adjusting The Argon2 Work Factor
If you are using the Argon2 algorithm, the make
method
allows you to manage the work factor of the algorithm using the
memory
, time
, and threads
options; however, the defaults are acceptable for most applications:
$hashed = Hash::make('password', [
'memory' => 1024,
'time' => 2,
'threads' => 2,
]);
Tip!! For more information on these options, check out the official PHP documentation.
Verifying A Password Against A Hash
The check
method allows you to verify that a given
plain-text string corresponds to a given hash. However, if you are using
the LoginController
included
with Laravel, you will probably not need to use this directly, as
this controller automatically calls this method:
if (Hash::check('plain-text', $hashedPassword)) {
// The passwords match...
}
Checking If A Password Needs To Be Rehashed
The needsRehash
function allows you to determine if the
work factor used by the hasher has changed since the password was
hashed:
if (Hash::needsRehash($hashed)) {
$hashed = Hash::make('plain-text');
}