Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where are laravel password salts stored?

Laravel uses bcrypt to hash passwords.

According to this article, at some point in the process, the Hash::make function creates and uses a 22-length random string as a salt to generate the password.

For a single distinct password, Hash::make does return unique hashes, hinting that it does use some kind of salting somewhere in the process.

But these salts are not stored in the users table, where I would expect them. How does laravel know the appropriate hash to use to verify the password?

Laravel Hash Explained

like image 325
Nick Pickering Avatar asked Aug 16 '15 01:08

Nick Pickering


People also ask

Where should password salts be stored?

The easiest way is to put the salt in front of the password and hash the combined text string. The salt is not an encryption key, so it can be stored in the password database along with the username – it serves merely to prevent two users with the same password getting the same hash.

Are laravel passwords salted?

Laravel uses bcrypt to hash passwords. According to this article, at some point in the process, the Hash::make function creates and uses a 22-length random string as a salt to generate the password.

Are password salts stored in plain text?

As you are using the salt in the way that it's stored, it's actually stored in plain text.


1 Answers

The article that you linked seems to contain the answer. https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/

The cleverness of this is that the algorithm, salt and cost are embedded into the hash and so can be easily parsed out into individual components for reconstruction/verification (Please see relevant sections of the php crypt source code at https://github.com/php/php-src/blob/master/ext/standard/crypt.c#L258). Because of this, you don’t need to store the salt/cost separately in a database table.

like image 53
duffn Avatar answered Sep 21 '22 08:09

duffn