0

So I dont know whats going on but heres some fun for you. If I do this

return bcrypt('hello'); exit();

and run it 3 times this is what I get back:

1st : $2y$10$T11IfKkHIAIXi0SRhjMXKeSQQtze8zBVZnWdlRXfsSdcCXKIq/n7W

2nd: $2y$10$DpKVtgbF4OVa3jm.wdG5..jb9AvXsuo2EfqnjuzmsEVCmcOVr5nKq

3rd: $2y$10$0.ziFneJu0wrS2b3rHA6kucnGBkS2MRtgfp0gtEb/7ZOCV8dG3Mmq

I'm stumped. Worked in laravel 5.1 - Don't know if it's my fault or not. and sorry. Anyone else having this issue? Is there a fix for it?

Doesn't matter much if I get a answer, 5.2 is shite not very good and I'm moving back to laravel 5.1 since A) its more stable and B) It was developed before Taylor Otwell let Gibbons in on the project. Just though I'd ask incase someone came across this and fixed it for other peeps.

Improve this question
4
  • 2
    What exactly is your question? This is how a good password hashing system works its not just doing a simple md5 or something like that this is the same way passwords are calculated in Linux you can still Auth fine with them but it depends on what your trying to do. Commented Jan 29, 2016 at 16:32
  • 2
    Look at the Hash::check function a simple string comparison isn't going to cut it. Commented Jan 29, 2016 at 16:34
  • 1
    How did you confirm that bcrypt is broken ? If all three time bcrypt would return same value then would it be secure ? Commented Jan 29, 2016 at 16:43
  • Because previously I would only have to hash it to check it (like Mark said with md5). I know laravel has it's own implementation (or php dose) of bcrypt because when trying bcrypt with node I wasn't able to install it (windows you see). Commented Jan 29, 2016 at 16:46

1 Answer 1

Reset to default
6

You want to use the Hash::check function

Hash::check('hello', '$2y$10$T11IfKkHIAIXi0SRhjMXKeSQQtze8zBVZnWdlRXfsSdcCXKIq/n7W'); => true Hash::check('not-hello', '$2y$10$T11IfKkHIAIXi0SRhjMXKeSQQtze8zBVZnWdlRXfsSdcCXKIq/n7W'); => false Hash::check('hello', '$2y$10$DpKVtgbF4OVa3jm.wdG5..jb9AvXsuo2EfqnjuzmsEVCmcOVr5nKq'); => true Hash::check('hello', '$2y$10$0.ziFneJu0wrS2b3rHA6kucnGBkS2MRtgfp0gtEb/7ZOCV8dG3Mmq'); => true Hash::check('hello', '$2y$10$0.ziFneJu0wrS2b3rHA6kucnGFkS2MRtgfp0gtEb/7ZOCV8dG3Mmq'); => false

To explain how this works you might want to check out the Wikipedia page

For example, the shadow password record $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy specifies a cost parameter of 10, indicating 210 key expansion rounds. The salt is N9qo8uLOickgx2ZMRZoMye and the resulting hash is IjZAgcfl7p92ldGxad68LJZdL17lhWy. Per standard practice, the user's password itself is not stored.

Also for more reading Do any security experts recommend bcrypt for password storage?

For even more reading Storing User Passwords Securely: hashing, salting, and Bcrypt

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.