Laravel uses bcrypt
to hash passwords.
According to this article, at some point in the process, the Hash::make
function creates and uses a 22-length random string as a salt to generate the password.
For a single distinct password, Hash::make
does return unique hashes, hinting that it does use some kind of salting somewhere in the process.
But these salts are not stored in the users table, where I would expect them. How does laravel know the appropriate hash to use to verify the password?
Laravel Hash Explained
The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.
Laravel uses bcrypt to hash passwords. According to this article, at some point in the process, the Hash::make function creates and uses a 22-length random string as a salt to generate the password.
As you are using the salt in the way that it's stored, it's actually stored in plain text.
The article that you linked seems to contain the answer. https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/
The cleverness of this is that the algorithm, salt and cost are embedded into the hash and so can be easily parsed out into individual components for reconstruction/verification (Please see relevant sections of the php crypt source code at https://github.com/php/php-src/blob/master/ext/standard/crypt.c#L258). Because of this, you don’t need to store the salt/cost separately in a database table.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With