Using Laravel's Hash Facade for Password Hashing and Verification

Laravel's Hash facade provides secure Bcrypt and Argon2 hashing for storing user passwords; when using the built‑in LoginController and RegisterController , Bcrypt is used by default for registration and authentication.

The default hashing driver is defined in config/hashing.php and can be either Bcrypt or Argon2 . Note that the Argon2 driver requires PHP 7.2.0 or higher.

To hash a password you call the make method on the Hash facade. Example controller code:

<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use App\Http\Controllers\Controller;

class UpdatePasswordController extends Controller
{
    /**
     * Update user password.
     */
    public function update(Request $request)
    {
        // Validate new password length...
        $request->user()->fill([
            'password' => Hash::make($request->newPassword)
        ])->save();
    }
}

For Bcrypt you can adjust the cost factor with the rounds option:

$hashed = Hash::make('password', ['rounds' => 12]);

For Argon2 you can control memory , time , and threads options:

$hashed = Hash::make('password', [
    'memory' => 1024,
    'time' => 2,
    'threads' => 2,
]);

To verify a plain‑text password against a stored hash, use Hash::check :

if (Hash::check('plain-text', $hashedPassword)) {
    // Password matches
}

When the hashing parameters change, Hash::needsRehash tells you whether a stored hash should be regenerated:

if (Hash::needsRehash($hashed)) {
    $hashed = Hash::make('plain-text');
}