How much cost/rounds does Laravel use to hash with?

Question

I'm trying to understand how the below function works from Laravel 4.2 in the BcryptHasher.php file:

/**
     * Hash the given value.
     *
     * @param  string  $value
     * @param  array   $options
     * @return string
     *
     * @throws \RuntimeException
     */
    public function make($value, array $options = [])
    {
        $cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;

        $hash = password_hash($value, PASSWORD_BCRYPT, ['cost' => $cost]);

        if ($hash === false) {
            throw new RuntimeException('Bcrypt hashing not supported.');
        }

        return $hash;
    }

I think I understand everything except for this line:

$cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;

I understand that the default of $this->rounds is set to 10, which then is the "cost" that the password will be hashed at. However, I'm confused as to what the $options array is doing and how that might affect the cost?

Answer 1

in laravel 5.5 and before, because the hash rounds number is hardcoded in these versions, there is no way, unless you build a facade or service to handle having default hashing rounds number based on what you desire and then use your wrapper class instead of the original Hash class.

But, Since laravel 5.6, the default hashing rounds number is stored in the config/hashing.php file and you can change the default to what you desire using this section or setting the BCRYPT_ROUNDS environment variable in your .env file.

/*
|--------------------------------------------------------------------------
| Bcrypt Options
|--------------------------------------------------------------------------
|
| Here you may specify the configuration options that should be used when
| passwords are hashed using the Bcrypt algorithm. This will allow you
| to control the amount of time it takes to hash the given password.
|
*/

'bcrypt' => [
    'rounds' => env('BCRYPT_ROUNDS', 10),
],