10

So, I'm switching over to laravel for my site. My old site currently holds around 500 users. Each user has a md5 hash attached to them, as the password (duh ^^).

As I'm switching over to laravel, I wish to use the Auth::attempt unfortunately it uses its own method to hash password strings. I don't want all my users to change their password, because I'm switching to laravel, is it possible to make the Auth class use md5 instead, so my users don't have to switch password? :)

If yes, can someone show me how?

Jazerix
  • 4,729
  • 10
  • 39
  • 71
  • Then you will need to create your own authenticator, something like `if($result=DB::table('user')->where('username',Input::get('user'))->where('password', md5(Input::get('password')))) { //successfully log in }`, although like Ronni said better not use `md5` and force them to change – user2002495 Nov 09 '13 at 17:16
  • Take a look here: http://stackoverflow.com/a/17719586/1661358 Even though the answer is for SHA1, it's pretty much the same process for MD5. – rmobis Nov 09 '13 at 19:13

2 Answers2

37

MD5 is horribly outdated. I recommend that you don't try to keep it. Instead, when a user first logs in, and Auth::attempt fails, you should then try to compare their password to the database as MD5

$user = User::where('username', '=', Input::get('username'))->first();

if(isset($user)) {
    if($user->password == md5(Input::get('password'))) { // If their password is still MD5
        $user->password = Hash::make(Input::get('password')); // Convert to new format
        $user->save();
        Auth::login(Input::get('username'));
    }
}
rmobis
  • 26,129
  • 8
  • 64
  • 65
Someguy123
  • 1,324
  • 13
  • 27
  • 5
    It can't be over-stated enough: Don't use md5. [This article](http://codahale.com/how-to-safely-store-a-password/) has good information as to why. – fideloper Nov 09 '13 at 18:32
  • Well, with the new system, I will force the users to enter their password again when they login, so I can change their password hash to the one laravel uses. I'm glad that I've learned this though ^^ Thanks – Jazerix Nov 09 '13 at 21:34
  • Read the article, using bcrypt makes a lot of sense, thanks! :D – Jazerix Nov 09 '13 at 21:42
0

Don't use md5 for password hashing. Even the php manual warns against it: "Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.".But in your case you can use the below snippet in your project

    $user = User::where([ 
        'login_id'  => $request->login_id,
        'password'  => md5($request->password)
    ])->first(); 
    
    if ($user) { 
        Auth::login($user); 

        return redirect()->intended('home')->withSuccess('User Signed in');
    }
ov_rezoy
  • 51
  • 1
  • 6