Laravel 5 - Handle Old Password Hashes

by Martin Carlin

I recently had to deal with migrating legacy systems to a Laravel 5.4 app, as you might have guessed, the legacy app was using sha1 and not bcrypt.

Here is how I managed to silently update sha1 passwords to the more secure bcrypt version:

<?php

namespace App\Listeners;

use Illuminate\Auth\Events\Attempting;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Contracts\Queue\ShouldQueue;

use App\User;

use Hash;

class CheckOldHashedPassword
{
    /**
     * Create the event listener.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    /**
     * Handle the event.
     *
     * @param  Login  $event
     * @return void
     */
    public function handle(Attempting $event)
    {
        $user = User::where('email', $event->credentials['username'])->first();

        if (!empty($user) && $user->password === sha1($event->credentials['password'])) {
            // update password
            $user->password = Hash::make($event->credentials['password']);
            $user->save();
        }
    }
}

Just created the above file in app\Listeners.

Depending on the name of your login field, you might need to change the array key being used in $event->credentials, possibly username or email.

If you are using md5 or something else, then you can easily add in the checks that you need.