Support the ongoing development of Laravel.io →
Authentication
Last updated 2 years ago.
0

The salt for hashing is put in the database. It uses the PHP Password API (with Bcrypt encryption by default): http://www.php.net/manual/en/function.password-hash.php When you look in the database, you can see that the hash consist of the used encryption and strength ($2y$10 = bcrypt with a cost of 10), then the salt and the hash.

The encryption key is used to encrypt. See http://laravel.com/docs/security#encryption You have to know the key to decrypt an encrypted string. So be sure to change the key when starting a project, and never change it during a project, because you cannot decrypt already saved data with a different key.

Last updated 2 years ago.
0

I use salts, you just have to make your own UserProvider and just update this method.

You would add a field called salt make your own interface that extends Illuminate's UserInterface and add the method getAuthPasswordSalt that returns the salt the password was created with.

	/**
	 * Validate a user against the given credentials.
	 *
	 * @param  MyUserInterface  $user
	 * @param  array  $credentials
	 * @return bool
	 */
	public function validateCredentials(MyUserInterface $user, array $credentials)
	{
		$plain = $credentials["password"] . $user->getAuthPasswordSalt();

		return $this->hasher->check($plain, $user->getAuthPassword());
	}

Also on my user model I have the following method.

	/**
	 * Password accessor for set.
	 *
	 * @param   string $password
	 * @return  void
	 */
	public function setPasswordAttribute($password)
	{
		$this->setAttribute('salt', str_random(16)); 
		$this->setAttribute('password', app('hash')->make($password . $this->getAttribute('salt')));
	}
Last updated 2 years ago.
0

No! Stop! Don't try to 'improve' the password system. It already uses salts and is safe. You are not making it better!

Last updated 2 years ago.
0

barryvdh,

I am confused about the salt used during the hashing process. Is the salt the same as the encryption key set in the App config file?

I am having issues replicating the hashing algorithm in an iOS app and would like to know how to get the salt in the app, so I can process the logins.

Last updated 2 years ago.
0

No, hashing and encrypting are 2 very different things:

  • For passwords etc, hashing is used. Hash::make($value) creates a hash using password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost)) See http://nl1.php.net/manual/en/function.password-hash.php This is 1-way. You can never get the original string back. The first part of the generated hash, exists of the used algorithm and the salt. So when you pass in the original hash in Hash::check(), you can check if you get the same result. See http://nl1.php.net/manual/en/function.password-verify.php Laravel uses BCRYPT, so you have to see if you can use that.

  • Encryption is 2-way, it encrypts strings (stuff that has to be secure etc) using the encryption key. So without that key it cannot be decrypted.

But why do you want to hash it in your iOS app?

Last updated 2 years ago.
0

It would be better to implement the authentication by a web service in in your Laravel app rather than make the iOS app duplicating the authentication logic.

You can add a method that you post your credentials to and it returns authentication results.
Even better would be to implement something like Oauth2 for your iOS app to do authentication.

If you must duplicate the password hashing in the iOS app look for a bcrypt library.
It looks this this one might work if your app is coded in objective-c.
http://www.jayfuerstenberg.com/blog/bcrypt-in-objective-c

Last updated 2 years ago.
0

Not sure the OP ever really got answered here. +1 for "Where's the salt?" I'm used to seeing separate columns for the hashes and salts. No mention of salts on http://laravel.com/docs/4.2/security ... in fact the whole section on authentication is sparse. @barryvdh, are you saying that the hash and salt are both stored in the "password" column?

Last updated 2 years ago.
0

fireproofsocks said:

@barryvdh, are you saying that the hash and salt are both stored in the "password" column?

Yes, that's where it's kept.

Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.