Laravel 5.4 - Which hash algorithm is used by auth? - laravel

I try to write my own register controller but in the documentation it is not mentioned which hash algorithm is used by laravel.
Which one is used?

You can just use bcrypt() global helper to create hashed password:
bcrypt($request->password)

You can use Hash::make($request->password);

The answer to Your question from the post's title ("Which hash algorithm is used by auth?") can be found on mnshankar.wordpress.com - Laravel Hash::make() explained.
Here is the first sentence from the "How?" section of the linked blog post:
Internally, Hash::make() encrypts using the bcrypt function and Blowfish algorithm.
Also, You can see on the Laravel 5.4 docs - Hashing page that they say:
The Laravel Hash facade provides secure Bcrypt hashing for storing user passwords.

Related

Laravel Password Encryption Parameters to decrypt the code

I have some different requirement, i don't want to decode the password, but i am building some other app based on SAME DATABASE for LOGIN so what i can do to "encrypt the password value so that it matches the backend password encrypted code".
I want to provide LOGIN from CODEIGNITOR app where data base is created by admin app in LARAVEL ... this is the issue...
So through CodeIgnitor if someone is LOGIN the password will be encrypted equivalent hash encrypted laravel application code.
The Encrypted Password is
$2y$10$cwd15HRgON0ytqkkV5F9zupfUOkqaii7fpbB9Kjd9I7W46LRYY0Km
And the real PASSWOORD is
123456
Please help...
Caddy DZ's answer is right, but to better answer your question you should know that every time you generate a new password with bcrypt function, a new random salt is used.
This leads you to end up getting a different hash for the same password each time you generate one.
The only way you have to verify the correctness of the password, is to use a built-in php function called password_verify.
That function will hash your password (that you provide as a second argument) with the same salt that has been used to generate the stored password (the salt to use is stored in the password hash) you already have in the database:
$password = '123456';
$saved = 'your stored hash';
if (password_verify($password, $saved)) {
echo 'Correct password.';
}
You can check the documentation about password_verify
This is not standard encryption that can be decrypted, this is hashing which is only one (1) way encryption..
To make this work in, you need to use the same hashing algorithm between the two apps (Laravel and CodeIgniter)
For instance laravel uses bcrypt by default to hash the password, so you need to configure CodeIgniter to use the same or vice versa.
bcrypt for codeigniter

Laravel Encryptable Trait Failing Authentication

I'm running into trouble with authentication handling in my Laravel 5.5. I have installed an Encryptable trait according to this post here. I then used the authentication generator to establish the base routes, views and handler.
I can successfully register new accounts and visually see that all of the data is encrypted, but I cannot successfully authenticate through the login screen.
This seems to be failing during the Auth::attempt($credentials) call. My troubleshooting is pointing to the encryptable trait because when I comment that section out, the authentication works fine.
Can someone offer insight as to how to handle authentication using this method of model encryption?
I have attempted disabling encryption for the username field, but this didn't seem to help. The password field was never being encrypted, becasue it is being hashed by bcrypt.
1st Edit:
So, with an understanding of how traits work... The Encryptable trait seems to be overloading the getAttribute/setAttribute functions. This would mean that Eloquent's querying functions like where, find, etc. will just be "looking at" encrypted values.
2nd Edit:
The source code provided for the Encryptable trait was not returning proper values for unencrypted values. This was changed and authentication was restored. To those using the same code snippet, in the get_attribute() function, change the else block so that it return $value;.
I appreciate all insights,
Dan
This form of encryption will void your ability to search the table for the encrypted fields. You won't be able to reproduce the same string because Laravel uses a random iv when producing encrypted data. An IV, or initialization vector, serves a similar purpose as a salt in hashing, to randomize the stored data.
Due to this randomization of data, you wouldn't even be able to search your table by re-encrypting the search data:
User::where('email', Crypt::encrypt('email#email.com'));
// won't find anything even if an encrypted value of email#email.com exists
Running in an interactive shell allows you to see encrypt returns a completely different value on subsequent runs:
>>> json_decode(base64_decode(Crypt::encrypt('email#email.com')))->value
=> "zpA0LBsbkGCAagxLYB6kiqwJZmm7HSCVm4QrUw6W8SE="
>>> json_decode(base64_decode(Crypt::encrypt('email#email.com')))->value
=> "VKz8CWVzR66cv/J7J09K+TIVwQPxcIg+SDqQ32Sr7rU="
Therefore, you may want to be selective about what you actually encrypt. Encrypt things that are sensitive and you wouldn't use to lookup an entity. This could be something like social security numbers, government IDs, credit card numbers, and bank account numbers.

Laravel password

I have question if you want:
- Why password hash bcrypt in laravel is random unlike sha1?
I test password 12345678in bcrypt and the result are different or with sha1 the same result.
So, how the system recognize password bcrypt in login app?
Thank you
That's just how bcrypt() and Hash::make work. Every time you run the method, you get a different string.
To check if password is correct, Laravel uses Hash::check() method:
Hash::check($passord, $hashedPassword)
Verifying A Password Against A Hash
The check method allows you to verify that a given plain-text string corresponds to a given hash.
Under the hood this method uses password_verify PHP function.
https://laravel.com/docs/5.5/hashing#basic-usage

Decryption of hashed passwords

I am working on a website's framework translation. I have translate it from Yii php framework to Laravel. I have got an existing database and I have to provide login access to existing users to the new website. The problem is now I am using Laravel and Laravel does not recognizes the hashed values of the previous framework. i.e the values that are stored in the database hashed by some method in Yii framework. Is there any way to resolve this. I am using Auth::attempt() method in Laravel.
You can't... plain and simple...
hashing isn't encryption. hashing is one way, you can prove this to yourself by taking an md5 or shasum of a large file, since the file's size is larger than the hashes output, by pigeonhole principle hashes can't be restored...
you could try to rainbow table them with password lists, don't, because this is compromising users security.
you will probably have to figure out a way to mash Yii's auth module into Laravel, or use some sort of middle man auth bit... or just make everyone change passwords.
The Yii framework generates password hashes through the crypt function, and according to the documentation it generates BCrypt hashes. You can check this easily by looking at the hashes, BCrypt hashes start with $2y.
So Laravel should actually be able to check password with your hashes, if you cannot find a method which is integrated in Laravel itself, you can surely use the password_verify() function to check the hashes.

Tank auth to use md5

I am working on a registration system for a 3rd party server, and (though tank auth's hashing is great), I need an md5 (so the third party software can check against it).
Is there an easy way to do this?
Thanks,
Max
If you want to do it the right way, you would write your own hash functions to use in Tank_Auth and remove the current ones.
If you don't want to do it the right way, Tank_Auth uses the included phpass PasswordHash class to hash and validate passwords. Only two functions are called from the Tank_Auth library: CheckPassword and HashPassword. Make a backup, and rewrite these two functions to use md5() instead. You may simply ignore the configuration and other PasswordHash methods.
PHP has a built in md5 hashing function ( md5() ), although I'd recommend sha1 ( sha1() ) over md5.
edit: ah, you're required to use an md5 hash is what you're saying? then just md5()

Resources