---
title: Use Hash::make() for Passwords — Never md5/sha1/bcrypt()
impact: CRITICAL
impactDescription: MD5/SHA1 are broken for passwords; Laravel's Hash facade uses bcrypt/argon2 with proper salting automatically
tags: password, hashing, bcrypt, security, hash, laravel
---

## Use Hash::make() for Passwords

Laravel's `Hash` facade automatically uses the configured driver (bcrypt by default, upgradeable to argon2id). Never use PHP's raw `password_hash()` directly without going through Laravel's config, and never use `md5()` or `sha1()`.

**Wrong:**

```php
// md5/sha1 — broken, no salting, rainbow-table vulnerable
$user->password = md5($request->password);
$user->password = sha1($request->password);

// Raw PHP without config — bypasses algorithm config
$user->password = password_hash($request->password, PASSWORD_BCRYPT);
```

**Correct:**

```php
// Creating a user
$user = User::create([
    'name'     => $request->name,
    'email'    => $request->email,
    'password' => Hash::make($request->password), // salted + bcrypt/argon2
]);

// Verifying on login — NEVER compare raw strings
if (!Hash::check($request->password, $user->password)) {
    throw ValidationException::withMessages([
        'email' => ['These credentials do not match our records.'],
    ]);
}

// Rehash on login if algorithm changed
if (Hash::needsRehash($user->password)) {
    $user->update(['password' => Hash::make($request->password)]);
}
```

**Config:** Change algorithm in `config/hashing.php`:
```php
'driver' => 'argon2id', // upgrade from default bcrypt for new projects
```

**In migrations:** password column must be `string(255)`, not `string(32)` — bcrypt hashes are 60 chars, argon2id up to 95.
