It's correct, and that's by design.
AFAIK, the function uses the password_hash() php function, and defaults to the PASSWORD_BCRYPT flag, which
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the
hash. This will produce a standard crypt() compatible hash using the
"$2y$" identifier. The result will always be a 60 character string, or
FALSE on failure.
That means a salt is automatically generated at each call, and inserted within the generated string, which contains: an identifier for the algo (in this case, $2y$), the iteration cost (defaults to 12), the hashed password, and the generated random salt.
That means, thus, everytime you hash your password a new salt is created, therefore the string will always be different - even if the password is the same. That's one of the strengths over a simple md5 hash without salt.
To check it, you use Hash::check(), which uses the password_verify() php function, which analyses the hash, guess the algo used, takes, the embedded salt, and can therefore check if the procedure, given the same starting conditions, creates an identical hash.
Edit
Indeed, this is the method (in Illuminate/Hashing/BcryptHasher)
* Hash the given value.
*
* @param string $value
* @param array $options
* @return string
*/
public function make($value, array $options = array())
{
$cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;
$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
if ($hash === false)
{
throw new RuntimeException("Bcrypt hashing not supported.");
}
return $hash;
}
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
