logo
podcast Podcast
get help Get Unstuck

How to fix "This password does not use the Bcrypt algorithm"

And why does this happen?

Joel Clermont
Joel Clermont
2025-02-07

When I see an error message, I like to first understand why it's happening. Then, knowing what to do to fix it is usually pretty easy.

Let's take as an example an error I got recently trying to log in to a Laravel application:

"This password does not use the Bcrypt algorithm"

First, what does this mean and why is it happening?

Laravel currently defaults to using the Bcrypt algorithm to hash passwords. So when a user tries to authenticate, it takes the plain-text password they typed in, and then uses PHP's password_verify function to make sure it matches the hashed password stored in the database.

But before it checks if the hash matches, by default it first checks if the stored password hash is actually a Bcrypt hash. If it was in plain text, or hashed with another algorithm (like Argon2), there is no point in proceeding with the check. Something is very wrong with our application configuration or data. That's why this exception is thrown.

So understanding why it happens, let's keep digging in.

When I looked in the database at the hashed password for that user account, I could see the password field was empty. The reason why is outside the scope of this tip, but the fix was easy: Reset the password and try logging in again.

Problem solved!

If you bump into this error, your exact reason might be different, but understanding what's happening under the hood should help you figure out what to do to fix it.

Here to help,

Joel

P.S. Security is an important topic to understand. Download our free book with 7 steps to secure your Laravel application.

Toss a coin in the jar if you found this helpful.
Want a tip like this in your inbox every weekday? Sign up below 👇🏼
email
No spam. Only real-world advice you can use.