Skip to main content

What is hashing

Hashing converts plain-text data such as passwords into a fixed-length string through a one-way transformation. The same input always produces the same hash, but you cannot recover the original plain text from a hash. Laravel’s Hash facade supports bcrypt and Argon2 hashing algorithms for secure password storage.

Algorithm comparison

AlgorithmCharacteristicsRecommended use
bcryptWork factor (rounds) controls computation cost. Default driverGeneral web applications
argon2iConfigurable memory, time, and threads. Resistant to side-channel attacksHigh-security scenarios
argon2idHybrid of argon2i and argon2d. Recommended by the PHCNew projects using Argon2
The bcrypt “work factor” controls how long it takes to generate a hash. A slower hash increases resistance to brute-force attacks. As hardware becomes faster, you can raise the work factor to maintain security.

Hashing and verification flow

Configuration

By default, Laravel uses the bcrypt driver. You can change it with the HASH_DRIVER environment variable. 
# .env
HASH_DRIVER=bcrypt  # bcrypt / argon / argon2id
To customize hashing options, publish the configuration file with config:publish. 
php artisan config:publish hashing
After publishing, edit config/hashing.php to adjust default work factors and other settings.

Basic usage

Hashing a password

Pass a plain-text password to Hash::make() to get a hash. Store this hash value in your database. 
<?php

namespace App\Http\Controllers;

use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;

class PasswordController extends Controller
{
    public function update(Request $request): RedirectResponse
    {
        $request->validate([
            'password' => ['required', 'min:8', 'confirmed'],
        ]);

        $request->user()->fill([
            'password' => Hash::make($request->password),
        ])->save();

        return redirect('/profile');
    }
}
Store hash values in your database. Never store plain-text passwords.

Adjusting the bcrypt work factor

Use the rounds option to control the computation cost of hash generation. Higher values are more secure but slower. The default value of 12 is appropriate for most applications. 
$hashed = Hash::make('plain-text-password', [
    'rounds' => 14,
]);

Adjusting the Argon2 work factor

When using Argon2, adjust the computation cost with the memory, time, and threads options. 
$hashed = Hash::make('plain-text-password', [
    'memory'  => 65536, // in KiB
    'time'    => 4,
    'threads' => 2,
]);
OptionDescriptionDefault
memoryMemory to use (KiB)65536
timeNumber of iterations4
threadsNumber of threads1
For details on these options, see the official PHP documentation on password_hash.

Verifying a password

Use Hash::check() to verify that a plain-text password matches a stored hash. This is typically used inside login logic. 
use Illuminate\Support\Facades\Hash;

if (Hash::check($request->password, $user->password)) {
    // Passwords match
} else {
    // Passwords do not match
}
When using Auth::attempt(), this comparison happens automatically. You call Hash::check() directly when you need to manually verify a password, such as confirming the current password before a change. 
// Confirm current password before allowing a password change
if (! Hash::check($request->current_password, $request->user()->password)) {
    return back()->withErrors(['current_password' => 'The current password is incorrect.']);
}

Determining if a password needs rehashing

Hash::needsRehash() checks whether the work factor used to hash a password differs from the current configuration. Use this to update existing hashes when you raise the work factor. 
use Illuminate\Support\Facades\Hash;

if (Hash::needsRehash($user->password)) {
    $user->update([
        'password' => Hash::make($plainTextPassword),
    ]);
}
A common pattern is to rehash on successful login. 
// Rehash during login
if (Auth::attempt($credentials)) {
    if (Hash::needsRehash(Auth::user()->password)) {
        Auth::user()->update([
            'password' => Hash::make($credentials['password']),
        ]);
    }

    return redirect()->intended('/dashboard');
}
Review your work factor periodically as hardware improves. Using needsRehash() during login lets you update passwords transparently without requiring users to take any action.

Hash algorithm verification

By default, Hash::check() verifies that the given hash was generated using the application’s configured algorithm. If the algorithms differ, a RuntimeException is thrown. This protects against hash algorithm manipulation attacks. If you need to support multiple algorithms simultaneously — for example, during a migration from one algorithm to another — you can disable this verification by setting HASH_VERIFY to false. 
# .env
HASH_VERIFY=false
Setting HASH_VERIFY=false disables algorithm verification. Use this only during a migration period and restore it to true (the default) once the migration is complete.

Summary

GoalHow
Hash a passwordHash::make($password)
Verify a hashHash::check($plain, $hash)
Check if rehashing is neededHash::needsRehash($hash)
Change the hashing driverHASH_DRIVER environment variable
Disable algorithm verificationHASH_VERIFY=false

Next steps

Authentication

Learn how login flows use Hash::check() and how Laravel’s authentication system works end to end.
Last modified on April 2, 2026