10

So, I'm switching over to laravel for my site. My old site currently holds around 500 users. Each user has a md5 hash attached to them, as the password (duh ^^).

As I'm switching over to laravel, I wish to use the Auth::attempt unfortunately it uses its own method to hash password strings. I don't want all my users to change their password, because I'm switching to laravel, is it possible to make the Auth class use md5 instead, so my users don't have to switch password? :)

If yes, can someone show me how?

Improve this question
2
  • Then you will need to create your own authenticator, something like if($result=DB::table('user')->where('username',Input::get('user'))->where('password', md5(Input::get('password')))) { //successfully log in }, although like Ronni said better not use md5 and force them to change
    – user2002495
    Commented Nov 9, 2013 at 17:16
  • Take a look here: stackoverflow.com/a/17719586/1661358 Even though the answer is for SHA1, it's pretty much the same process for MD5.
    – rmobis
    Commented Nov 9, 2013 at 19:13

2 Answers 2

Reset to default
38

MD5 is horribly outdated. I recommend that you don't try to keep it. Instead, when a user first logs in, and Auth::attempt fails, you should then try to compare their password to the database as MD5

$user = User::where('username', '=', Input::get('username'))->first();

if(isset($user)) {
    if($user->password == md5(Input::get('password'))) { // If their password is still MD5
        $user->password = Hash::make(Input::get('password')); // Convert to new format
        $user->save();
        Auth::login(Input::get('username'));
    }
}
Improve this answer
3
  • 5
    It can't be over-stated enough: Don't use md5. This article has good information as to why.
    – fideloper
    Commented Nov 9, 2013 at 18:32
  • Well, with the new system, I will force the users to enter their password again when they login, so I can change their password hash to the one laravel uses. I'm glad that I've learned this though ^^ Thanks
    – Jazerix
    Commented Nov 9, 2013 at 21:34
  • Read the article, using bcrypt makes a lot of sense, thanks! :D
    – Jazerix
    Commented Nov 9, 2013 at 21:42
0

Don't use md5 for password hashing. Even the php manual warns against it: "Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.".But in your case you can use the below snippet in your project

    $user = User::where([ 
        'login_id'  => $request->login_id,
        'password'  => md5($request->password)
    ])->first(); 
    
    if ($user) { 
        Auth::login($user); 

        return redirect()->intended('home')->withSuccess('User Signed in');
    }
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.