Converting password hashes from bcrypt to argon2id

[Jamesking56]

Hey everyone,

Does Laravel have a nice way to upgrade bcrypt hashes to argon2id? It would be nice to be able to upgrade hashes when users login.

Cheers.

[JagdishPrecise]

Yes, Laravel provides a simple way to upgrade bcrypt hashes to argon2id hashes. You can use the Hash::needsRehash() method to check if a given password hash needs to be rehashed with a different algorithm.

To upgrade your existing bcrypt hashes to argon2id, you can modify the boot() method in your AuthServiceProvider class as follows:

use Illuminate\Support\Facades\Hash;
public function boot()
{
    $this->registerPolicies();

    // Upgrade old bcrypt hashes to argon2id
    Hash::driver('bcrypt')->needsRehash(function ($hashedPassword) {
        return Hash::needsRehash($hashedPassword, 'argon2id');
    });
}

This code registers a callback function that checks if a given password hash needs to be rehashed with argon2id. If the hash is a bcrypt hash and needs to be rehashed, the callback will return true, and Laravel will automatically rehash the password with argon2id the next time the user logs in.

By using this feature, you can gradually upgrade your user's passwords to use a stronger hash algorithm without requiring them to reset their passwords.

[Jamesking56]

Thanks will give this a go! 👍

[JurianArie]

Hash::needsRehash() returns true if the given hash differs from the default algorithm. So no need to update your service provider.

framework/src/Illuminate/Hashing/ArgonHasher.php

Lines 112 to 119 in ee9487f

	public function needsRehash($hashedValue, array $options = [])
	{
	return password_needs_rehash($hashedValue, $this->algorithm(), [
	'memory_cost' => $this->memory($options),
	'time_cost' => $this->time($options),
	'threads' => $this->threads($options),
	]);
	}

https://www.php.net/manual/en/function.password-needs-rehash.php#return-value

Returns true if the hash should be rehashed to match the given algo and options, or false otherwise.

[Jamesking56]

Whats the flow here when a user logs in when their password is bcrypt?

1. User fills in form and submits
2. We find the account matching their email address
3. We check if the hash for that account needs rehashing?
4. We rehash to argon2id
5. We then verify their login and log the user in using Laravel's Auth facade?

Is this the correct flow?

[JurianArie]

@Jamesking56 no you should conditionally rehash the password after verifying it.

1. User fills in form and submits
2. We find the account matching their email address
3. We then verify their login
4. We check if the hash for that account needs rehashing?
5. We rehash to argon2id
6. log the user in using Laravel's Auth facade

[valorin]

Just something to be aware of with this approach: passwords will only be upgraded when the user logs in. Any users who don't login won't have their passwords upgraded, and won't gain the security benefits of the new algorithm. This may be acceptable for your use case though, since you're going from bcrypt, which is already very secure when configured properly.

If you don't want lingering bcrypt hashes, your two options are:

1. Wrap your existing bcrypt hashes in argon2id in a bulk update, and then use the wrapped double-hashing for all future password operations. This provides a seamless approach to your users, and gets it all done in one hit.
2. Set a fixed window during which you rehash passwords for your active users. When the fixed window is over, disable the remaining passwords and force password resets for those users if they come back to your app. The fixed window can be any suitable time, given your userbase and risk-level for the password migration. I.e. some apps could take a month, some could take a year. ¯_(ツ)_/¯

As a side note, I wrote about password rehashing, if you'd like more details about the process: https://larasec.substack.com/p/in-depth-rehashing-passwords
Note, the post is paywalled but feel free you can sign up for the 7-day trial and then cancel before it charges you, so you can read the post for free. 🙂