Bcrypt vs Hash in laravel

Dees Oomens picture Dees Oomens · Mar 6, 2015 · Viewed 32.3k times · Source

I want to create a function or something like a Cron that executes a link (in Laravel), with something like a password. I've got two solutions. But which one is better to use:

Option 1 (hash):

<?php

// Page 1

$salt = "my-random-hash";
$key = hash('sha256', date('Y-m-d').$salt);

// <-- Insert go to page and send GET with $key code here

// Page 2

$salt = "my-random-hash";
$key = hash('sha256', date('Y-m-d').$salt);

if ($key == $pageOneKey) {
    // Execute some code
}

Option 2 (bcrypt):

<?php

// Page 1

$key = Crypt::encrypt(date('Y-m-d'));

// <-- Insert go to page and send GET with $key code here

// Page 2

$key = date('Y-m-d');
$pageOneKey = Crypt::decrypt($key);

if ($key == $pageOneKey) {
    // Execute some code
}

This code has been described broadly. With better to use i mean safer / more secure, or something in that trance. Thanks!

Answer

lukasgeiter picture lukasgeiter · Mar 6, 2015

Your second option isn't bcrypt. Laravel's Crypt class uses AES encryption.
As stated in the documentation:

Laravel provides facilities for strong AES encryption via the Mcrypt PHP extension.

As far as I can tell you don't need to be able to decrypt the data, to reverse the encryption. Therefore you should definitely use a hashing algorithm like sha256 in your first option. However Laravel ships with a pretty good hashing class already so why not use that.

Option 3 (Laravel Hash, Bcrypt)

$hash = Hash::make('secret');

$input = 'secret';
if(Hash::check($input, $hash)){
    // the input matches the secret
}

Note that you have to use Hash::check() for comparing. You can't just create another hash with Hash::make() and compare them. The generated hash contains a random component, so even if it's the same secret, Hash::make() will produce a different hash every time.

Hashing - Laravel docs