Where are laravel password salts stored?

php laravel hash passwords salt

Nick Pickering · Aug 16, 2015 · Viewed 16.9k times · Source

Laravel uses bcrypt to hash passwords.

According to this article, at some point in the process, the Hash::make function creates and uses a 22-length random string as a salt to generate the password.

For a single distinct password, Hash::make does return unique hashes, hinting that it does use some kind of salting somewhere in the process.

But these salts are not stored in the users table, where I would expect them. How does laravel know the appropriate hash to use to verify the password?

Laravel Hash Explained

Answer

The article that you linked seems to contain the answer. https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/

The cleverness of this is that the algorithm, salt and cost are embedded into the hash and so can be easily parsed out into individual components for reconstruction/verification (Please see relevant sections of the php crypt source code at https://github.com/php/php-src/blob/master/ext/standard/crypt.c#L258). Because of this, you don’t need to store the salt/cost separately in a database table.

Where are laravel password salts stored?

Answer

Related questions