Is the password field really not hashed by default?

[jcc5018]

Password hashing has got to be the number one security concern on any website. Does Filament really set passwords as plain text as default, when bcrypt is expected with all other Laravel starter sets?

I already found this link hashing passwords But why should i have to go to all these extra processes to get basic security? Am I missing something in my set up so this happens by default?

At minimum if you really want to give the users options how about make it default with an option to ->hash('false') or something of the sorts so it is easy to configure.

Show password options should also be standard without needing a plugin in my opinion, and an indication that the password is filled in already.

I really have a hrd time believing this is not standard practice. I did find the instructions in "advanced forms" but that kind of thing is basic in my option. Please make it part of the password discussion. or at least provide a link and simplify it if possible. As the whole dehydrate and hydrate terms can be confusing to people, when a simple ->hash() ->show('true') etc would be more straight forward.

Additional improvements could be an option to disable field on edit screens without a dedicated "change password" click. There should be some indication that a password is entered though

[coolsam726]

In v3 hashing works out of the box with the following configuration, so I don't see what the big deal is.

Forms\Components\TextInput::make('password')
                    ->password()
                    ->required()

[jcc5018]

Well sir, the big deal is when I use that code, passwords are in plain text so unless I am missing something else in my laravel config, it needs to be addressed.

Obviously it is not working for me or i wouldnt be here talking about it. Tell me what I might be missing or set up incorrectly.

[jcc5018]

v3

I have used

   Password::make('password')
                                            ->label('Password')
                                            ->dehydrateStateUsing(fn($state) => Hash::make($state))
                                            ->dehydrated(fn($state) => filled($state))
                                            ->required(fn(string $context): bool => $context === 'create'),

And

//                                 TextInput::make('password')
//                                      ->password()

Without the dehydration stuff, both options are storing passwords as plain text

Is there something missing in laravel config perhaps that would be altering this?

I have laravel breeze installed with filament on top so perhaps something was overwritten? If i knew where to even begin checking, I'd do so, but I don't know what I would be looking for

[jcc5018]

Hashing.php config file looks correct also

return [


    'driver' => 'bcrypt',
  
    'bcrypt' => [
        'rounds' => env('BCRYPT_ROUNDS', 12),
        'verify' => true,
    ],

    'argon' => [
        'memory' => 65536,
        'threads' => 1,
        'time' => 4,
        'verify' => true,
    ],

];

[ryangjchandler]

@jcc5018 Are you doing this inside of the Filament panel (resource/page/etc) or outside of the panel in a custom Livewire component?

Ignore that last question - the password() modifier is just a toggle for type="password" on the input element, it doesn't handle hashing or anything, that needs to be handled by the dehydration methods.

[ryangjchandler]

You can of course PR the hash() method that you suggested earlier too, all suggestions are welcome.

[jcc5018]

if i knew what to edit, and was confident enough in my coding abilities (and fully understood git other than keeping my project backed up ) I would do so.

I figured out a solution. I just always thought laravel hashed passwords by default, which is why I was a bit confused when it was plain text.

[coolsam726]

Actually, auto-hashing is controlled by the core framework (Laravel) at the model level, so Filament does not need to configure anything to make it happen. Just add the following cast to the App\Models\User model and auto-hashing should work out of the box:

protected $casts = [
        'password' => 'hashed',
    ];

I just noticed this might be the missing piece for you.

[jcc5018]

i tried that, and reverted back to just this:

TextInput::make('password')
                                      ->password()

and it is still storing as plain text

[coolsam726]

You should do the two together, not one or the other:

1. In your model set the hashed cast.
2. In your form, be have the ->password() method as above.

[omarfarache]

worked! thx

[Qnator]

This worked 100%! Thanks 4.000.000 times!

[musiccollect]

I've also got Laravel (11) with Breeze and then Filament 3 on top of that. I'm getting login errors suggesting the credentials are wrong but they are correct. Some discussions about the cause I've sighted talk about multiple hashing of the password .. I'm still trying to get to the bottom of it

[signorincubo]

Hi musiccollect, i got same problem.
Did you resolve It?
When i try to login with tinker everything works good, but with philament got no luck.
I already done all the step needed, (env, migration, panels, add user, permissions, email verified....)

[Irissu]

I am facing the same problem. I don't understand that in a clean installation filament has these problems. It should work only by setting the text field as password. I am using Laravel 10.