Comparing Hashed Values to check whether it is Equal

Question

I am storing my Password as BCrypt (Laravel own way)

$NewValue = Hash::make(Input::get('Password'));

$OldValue = Auth::user()->password;  // Taking the value from database
if($NewValue == $OldValue)
{
return 'Both Password are equal'
}
else
{
//go for other operation
}

But whenever i check the if condition, I am always getting false.

What is the mistake i am doing ?

score 5 · Accepted Answer · answered Dec 30 '14 at 10:33

5

Laravel's hash function will generate a new hash every time you call Hash::make. Internally it calls password_hash which then uses crypt. It will always generate a random salt. The salt is included in the final hash so when comparing it can be parsed and used to generate the same hash again.

To verify a password you need to use Hash::check() which then uses password_verify under the hood

$password = Input::get('Password');
$hashedPassword = Auth::user()->password;  // Taking the value from database

if(Hash::check($password, $hashedPassword))
{
    return 'Both Password are equal'
}
else
{
    //go for other operation
}

answered Dec 30 '14 at 10:33

lukasgeiter

147,337
26
332
270

You're becoming my problem solver, (Learning from you) Thanks – AngularAngularAngular Dec 30 '14 at 10:37
Can you please look at this problem pls, i am waiting for this long ,, http://stackoverflow.com/questions/27700021/simple-validation-rule-inside-the-model – AngularAngularAngular Dec 30 '14 at 11:30
I'll take a look at it. But I'm not really the validation pro... Also 6 hours is not very long. Just be patient ;) – lukasgeiter Dec 30 '14 at 11:32
Yes, i Agree, let me wait and check :) – AngularAngularAngular Dec 30 '14 at 11:34

score 1 · Answer 2 · answered Dec 30 '14 at 10:26

1

Use Hash::check() to verify a password against a hash.

Hash::check('secret', $hashedPassword);

Docs - Security - Storing passwords

answered Dec 30 '14 at 10:26

lagbox

48,571
8
72
83

I tried **$NewValue = Hash::make(Input::get('Password')); if($NewValue == Hash::check('secret', Auth::user()->password)) { return'true';} But not success** – AngularAngularAngular Dec 30 '14 at 10:31
The 'secret' is the hashed form of new value ? – AngularAngularAngular Dec 30 '14 at 10:32
the secret will the be plain text version of the password. $hashedPassword would be a hashed password to check it against. (Auth::user()->password) – lagbox Dec 30 '14 at 10:40

Comparing Hashed Values to check whether it is Equal

2 Answers2