The salt for hashing is put in the database. It uses the PHP Password API (with Bcrypt encryption by default): http://www.php.net/manual/en/function.password-hash.php When you look in the database, you can see that the hash consist of the used encryption and strength ($2y$10 = bcrypt with a cost of 10), then the salt and the hash.
The encryption key is used to encrypt. See http://laravel.com/docs/security#encryption You have to know the key to decrypt an encrypted string. So be sure to change the key when starting a project, and never change it during a project, because you cannot decrypt already saved data with a different key.
I use salts, you just have to make your own UserProvider and just update this method.
You would add a field called salt make your own interface that extends Illuminate's UserInterface and add the method getAuthPasswordSalt that returns the salt the password was created with.
/**
* Validate a user against the given credentials.
*
* @param MyUserInterface $user
* @param array $credentials
* @return bool
*/
public function validateCredentials(MyUserInterface $user, array $credentials)
{
$plain = $credentials["password"] . $user->getAuthPasswordSalt();
return $this->hasher->check($plain, $user->getAuthPassword());
}
Also on my user model I have the following method.
/**
* Password accessor for set.
*
* @param string $password
* @return void
*/
public function setPasswordAttribute($password)
{
$this->setAttribute('salt', str_random(16));
$this->setAttribute('password', app('hash')->make($password . $this->getAttribute('salt')));
}
No! Stop! Don't try to 'improve' the password system. It already uses salts and is safe. You are not making it better!
barryvdh,
I am confused about the salt used during the hashing process. Is the salt the same as the encryption key set in the App config file?
I am having issues replicating the hashing algorithm in an iOS app and would like to know how to get the salt in the app, so I can process the logins.
No, hashing and encrypting are 2 very different things:
-
For passwords etc, hashing is used. Hash::make($value) creates a hash using
password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost))See http://nl1.php.net/manual/en/function.password-hash.php This is 1-way. You can never get the original string back. The first part of the generated hash, exists of the used algorithm and the salt. So when you pass in the original hash in Hash::check(), you can check if you get the same result. See http://nl1.php.net/manual/en/function.password-verify.php Laravel uses BCRYPT, so you have to see if you can use that. -
Encryption is 2-way, it encrypts strings (stuff that has to be secure etc) using the encryption key. So without that key it cannot be decrypted.
But why do you want to hash it in your iOS app?
It would be better to implement the authentication by a web service in in your Laravel app rather than make the iOS app duplicating the authentication logic.
You can add a method that you post your credentials to and it returns authentication results.
Even better would be to implement something like Oauth2 for your iOS app to do authentication.
If you must duplicate the password hashing in the iOS app look for a bcrypt library.
It looks this this one might work if your app is coded in objective-c.
http://www.jayfuerstenberg.com/blog/bcrypt-in-objective-c
Not sure the OP ever really got answered here. +1 for "Where's the salt?" I'm used to seeing separate columns for the hashes and salts. No mention of salts on http://laravel.com/docs/4.2/security ... in fact the whole section on authentication is sparse. @barryvdh, are you saying that the hash and salt are both stored in the "password" column?
fireproofsocks said:
@barryvdh, are you saying that the hash and salt are both stored in the "password" column?
Yes, that's where it's kept.
Sign in to participate in this thread!
Laravel
Laravel News
Laracasts
Laravel Podcast