How does Auth::attempt check password in Laravel?

3
votes

I'm using Laravel 5.4. I know that hashing is one way thing. as I remembered, I hashed passwords and saved them on database and when i wanted to check user password I would hash their entered password and checked it with hashed string on database.

in laravel I only need to write below code:

 $email = $request['email'];
 $pass = $request['password'];

 if(Auth::attempt(['email'=> $email , 'password' => $pass])){
       //return something
   }

There is no need to bcrypt($request['password']); .

eventhough every time I have to use bcrypt the hash string would be different.

How Auth::attempt Hash password with bcrypt for checking passwords.

I need an explanation that how Auth::attempt works while using bcrypt. I know how to implement the code and check passwords.

2
phpauthenticationlaravel-5hashbcrypt
Using bcrypt is not checking exact string rather by format which can't be decrypt in challengeNiklesh Raut
Ex. If it gives same string we can guess others passwordNiklesh Raut
They already built in Auth::attempt function ! So just check with that functionDavid Jaw Hpan
What have you tried to gather information about this? Laravel is open source, so why not check the source code for more details?Nico Haase
answer has been found. I was just editing my question :)Alireza

2 Answers

1
votes

Laravel uses bcrypt for hashing password. bcrypt will generate random salt each time we use it. thats the reason we get different hash while we provide same string.

how we can compare two hashes?

random salt will save beside:

[full hash] = [random-salt-part]+[hashed-string-with-random-salt]

so for comparing we should use saved random-salt-part instead of using random salt. this way we gonna have same hash.

why use random salt? in short : to fight against the likelyhood of being cracked by a rainbow table. for more detailed answer visit: https://security.stackexchange.com/questions/66989/how-does-a-random-salt-work

0
votes

If you are using the built-in LoginController and RegisterController classes that are included with your Laravel application, they will automatically use Bcrypt for registration and authentication.

For more details you can refer this link : https://laravel.com/docs/5.4/hashing

The hashing method used by Laravel generates a different hash each time (even for the same string).it doesn't hash both strings and compare them, instead it uses the unhashed string to compare with the hash.

The check method allows you to verify that a given plain-text string corresponds to a given hash. However, if you are using the LoginController included with Laravel, you will probably not need to use this directly, as this controller automatically calls this method:

if (Hash::check('plain-text', $hashedPassword)) {
    // The passwords match...
}