PHPackages j3j5/hmac-bcrypt-laravel - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. j3j5/hmac-bcrypt-laravel ActiveLibrary[Security](/categories/security) j3j5/hmac-bcrypt-laravel ======================== A laravel hasher for the HMAC-BCrypt implementation for password hashing 0.2.1(1y ago)4144MITPHP Since Oct 4Pushed 1y ago1 watchersCompare [ Source](https://github.com/j3j5/hmac-bcrypt-laravel)[ Packagist](https://packagist.org/packages/j3j5/hmac-bcrypt-laravel)[ RSS](/packages/j3j5-hmac-bcrypt-laravel/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (5)Versions (6)Used By (0) hmac-bcrypt =========== [](#hmac-bcrypt) [![Coverage Badge](https://gist.githubusercontent.com/j3j5/a143261dcd5d0d9456c01f854eccecd0/raw/badge.svg "PHPUnit coverage")](https://gist.githubusercontent.com/j3j5/a143261dcd5d0d9456c01f854eccecd0/raw/badge.svg)[![PHPStan Badge, it reads "level 9"](https://camo.githubusercontent.com/8ef32194988c33f2f1812ff8cf47a2804e0f95fad59acda3e1fb1f70c51a9d43/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d627269676874677265656e2e7376673f7374796c653d666c6174266c6f676f3d706870 "PHPStan Level 9")](https://camo.githubusercontent.com/8ef32194988c33f2f1812ff8cf47a2804e0f95fad59acda3e1fb1f70c51a9d43/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d627269676874677265656e2e7376673f7374796c653d666c6174266c6f676f3d706870)[![Build status for "main" branch](https://github.com/j3j5/hmac-bcrypt-laravel/actions/workflows/php.yml/badge.svg?branch=main "Build status")](https://github.com/j3j5/hmac-bcrypt-laravel/actions/workflows/php.yml/badge.svg?branch=main) This repository contains an implementation of the `hmac-bcrypt` password hashing function for the [Laravel Framework](https://github.com/laravel/laravel). It is based on the reference implementation created by [@epixoip](https://github.com/epixoip) (specifically [the PHP one](https://github.com/epixoip/hmac-bcrypt/blob/main/php/src/)). If you are asking yourself why, you can read the [technical justification](https://github.com/epixoip/hmac-bcrypt#justification) on the original implementation. Installation ------------ [](#installation) If you want to use it, you can use composer: ``` composer require j3j5/hmac-bcrypt-laravel ``` Configuration ------------- [](#configuration) On your `config/hashing.php` you can change the driver to `hmac-bcrypt`. In order to work, you need to set a *pepper* which should be a **unique (per project) secret string**. You have two options, either set `HMAC_BCRYPT_PEPPER` on your `.env` or as an environment variable, or add to your own `hashing.php` config file the following array: ``` 'hmac-bcrypt' => [ 'pepper' => 'black-pepper' ], ``` The amount of rounds used by bcrypt is also customizable. You can use `HMAC_BCRYPT_ROUNDS` on your `.env` (or as environment variable) or add the key `rounds` to the `hmac-bcrypt` key on your hashing config. ``` 'hmac-bcrypt' => [ 'rounds' => 15 ], ``` Use --- [](#use) Now you can use it like you would use the hasher on Laravel: ``` $clearTextPass = 'supersecret'; $hash = Hash::make($clearTextPass); // Now store it on the db ``` Later on... ``` if (Hash::check($clearTextPass, $hash)) { // eccoli qua! you can log in your user! // Check whether your settings have changed since last time if (Hash::needsRehash($hash)) { $newHash = Hash::make($clearTextPass); // Store the new hash on the db } } ``` Final notes ----------- [](#final-notes) Although I tried to be very careful and thorough on the implementation, I made this driver for fun so use at your own risk. I encourage you to take a dive into the code to make sure I did not miss anything important or into the tests so you can check for yourself what currently works. Underneath it uses the native PHP functions for SHA512 `hash_hmac()` and `crypt()` for the Bcrypt encryption (with a salt generated by `random_bytes()`), so this is not a case of building your own crypto libraries but instead, using the already available ones. ### Health Score 26 — LowBetter than 43% of packages Maintenance31 Infrequent updates — may be unmaintained Popularity16 Limited adoption so far Community9 Small or concentrated contributor base Maturity40 Maturing project, gaining track record Bus Factor1 Top contributor holds 81.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~202 days Total 4 Last Release 709d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/87fcc720208de023144a17f3e72cccf8fb872d652b8f1ab0724c765e44e3d717?d=identicon)[j3j5](/maintainers/j3j5) --- Top Contributors [![jfoulquie-tnw](https://avatars.githubusercontent.com/u/159464174?v=4)](https://github.com/jfoulquie-tnw "jfoulquie-tnw (43 commits)")[![j3j5](https://avatars.githubusercontent.com/u/1239921?v=4)](https://github.com/j3j5 "j3j5 (10 commits)") --- Tags hashing-algorithmhmac-bcryptlaravelpasswordsphp ### Code Quality TestsPHPUnit Static AnalysisPHPStan ### Embed Badge ![Health badge](/badges/j3j5-hmac-bcrypt-laravel/health.svg) ``` [![Health](https://phpackages.com/badges/j3j5-hmac-bcrypt-laravel/health.svg)](https://phpackages.com/packages/j3j5-hmac-bcrypt-laravel) ``` ### Alternatives [mews/captcha Laravel 5/6/7/8/9/10/11/12 Captcha Package 2.6k5.5M84](/packages/mews-captcha)[tzsk/otp A secure, database-free One-Time Password (OTP) generator and verifier for PHP and Laravel. 241641.4k1](/packages/tzsk-otp)[genealabs/laravel-governor Managing policy and control in Laravel. 201262.8k](/packages/genealabs-laravel-governor)[laragear/poke Keep your forms alive, avoid TokenMismatchException by gently poking your Laravel app 2211.5k](/packages/laragear-poke)[ammardev/laravel-wp-hash-driver Supports Wordpress passwords hashing and checking in Laravel's Hash facade. 169.3k](/packages/ammardev-laravel-wp-hash-driver)[aishan/lumen-captcha captcha for lumen 118.5k](/packages/aishan-lumen-captcha) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)