Home » Php » php – Laravel 4 – Hashing same password gives different values

php – Laravel 4 – Hashing same password gives different values

Posted by: admin July 12, 2020 Leave a comment

Questions:

I am trying to authenticate a user using the Auth::attempt() method and it keeps failing, so I eventually ended up with the following code:

$arr = array();
$arr['verified'] = Hash::make('1234') . ' ; ' . Hash::make('1234');
return json_encode($arr);

and this is the result:

{"verified":"$2y$10$V4yXBUcxealfLrzOE\/xAD.sJ8qpNhrMA6K6dENBBXYqaVx1zSETgy ; $2y$10$C9xpOWLTUyfy1KL.Y3Tot.KWADmQYFK\/HAf6uZGGXTKcVh52qHS4m"}

As you can see, the first hash gives $2y$10$V4yXBUcxealfLrzOE\/xAD.sJ8qpNhrMA6K6dENBBXYqaVx1zSETgy and the second hash gives $2y$10$C9xpOWLTUyfy1KL.Y3Tot.KWADmQYFK\/HAf6uZGGXTKcVh52qHS4m

This should have nothing to do with the database even though when storing, I have a 60 character password field.

Any ideas?

How to&Answers:

This is perfectly fine and also the way it is supposed to work.
Laravel uses Bcrypt for Hashing and is therefore generating a random salt during the hashing process. The salt will be part of the Hash which is why you are getting two different results.

The veryfing algorithm is taking the salt into consideration automatically. This method makes the use of rainbow tables nearly impossible.

It’s not a bug, it’s extra security with no effort.

Given your example veryfing against both of your hashes will return true:

<?php

$hash1 = Hash::make('1234'); // A hash is generated
$hash2 = Hash::make('1234'); // Another hash is generated that differs from the first one

var_dump(Hash::check('1234', $hash1) && Hash::check('1234', $hash2));

Although $hash1 and $hash2 contain different hashes, veryfing against them with the given base string will evaluate to true.

The generated hash has a length of 60 characters. So it should be made sure that the column where the hash is stored also has a minimum size of 60 characters