Hashing

• Introduction
• Configuration
• Basic Usage
  • Hashing Passwords
  • Verifying That a Password Matches a Hash
  • Determining if a Password Needs to be Rehashed
• Hash Algorithm Verification

Introduction

The Laravel Hash facade provides secure Bcrypt and Argon2 hashing for storing user passwords. If you are using one of the Laravel application starter kits, Bcrypt will be used for registration and authentication by default.

Bcrypt is a great choice for hashing passwords because its "work factor" is adjustable, which means that the time it takes to generate a hash can be increased as hardware power increases. When hashing passwords, slow is good. The longer an algorithm takes to hash a password, the longer it takes malicious users to generate "rainbow tables" of all possible string hash values that may be used in brute force attacks against applications.

Configuration

By default, Laravel uses the bcrypt hashing driver when hashing data. However, several other hashing drivers are supported, including argon and argon2id.

You may specify your application's hashing driver using the HASH_DRIVER environment variable. But, if you want to customize all of Laravel's hashing driver options, you should publish the complete hashing configuration file using the config:publish Artisan command:

php artisan config:publish hashing

Basic Usage

Hashing Passwords

You may hash a password by calling the make method on the Hash facade:

<?php

namespace App\Http\Controllers;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;

class PasswordController extends Controller
{
    /**
     * Update the password for the user.
     */
    public function update(Request $request): RedirectResponse
    {
        // Validate the new password length...

        $request->user()->fill([
            'password' => Hash::make($request->newPassword)
        ])->save();

        return redirect('/profile');
    }
}

Adjusting The Bcrypt Work Factor

If you are using the Bcrypt algorithm, the make method allows you to manage the work factor of the algorithm using the rounds option; however, the default work factor managed by Laravel is acceptable for most applications:

$hashed = Hash::make('password', [
    'rounds' => 12,
]);

Adjusting The Argon2 Work Factor

If you are using the Argon2 algorithm, the make method allows you to manage the work factor of the algorithm using the memory, time, and threads options; however, the default values managed by Laravel are acceptable for most applications:

$hashed = Hash::make('password', [
    'memory' => 1024,
    'time' => 2,
    'threads' => 2,
]);

[!NOTE]
For more information on these options, please refer to the official PHP documentation regarding Argon hashing.

Verifying That a Password Matches a Hash

The check method provided by the Hash facade allows you to verify that a given plain-text string corresponds to a given hash:

if (Hash::check('plain-text', $hashedPassword)) {
    // The passwords match...
}

确定密码是否需要重新哈希

Hash 门面（facade）提供的 needsRehash 方法允许你确定自从密码被哈希后，哈希器使用的工作因子（work factor）是否发生了变化。一些应用会选择在认证过程中执行此检查：

if (Hash::needsRehash($hashed)) {
    $hashed = Hash::make('plain-text');
}

哈希算法验证

为防止哈希算法被篡改，Laravel 的 Hash::check 方法会首先验证给定的哈希是否是使用应用程序选择的哈希算法生成的。如果算法不同，将会抛出 RuntimeException 异常。

大多数应用不希望哈希算法发生变化，因为出现不同的算法可能表明存在恶意攻击，这是大多数应用的一种预防机制。然而，如果你需要在应用程序内支持多种哈希算法，例如在从一种算法迁移至另一种算法时，你可以通过将 HASH_VERIFY 环境变量设置为 false 来禁用哈希算法的验证：

HASH_VERIFY=false

dkp 翻译于 22小时前

0 重译