Laravel5.2 the default password is encrypted. How can I add some salt?

Laravel5.2 the default password is encrypted. How can I add some salt? By the way, what is salt? {Code...} laravel 5.2 default password encryption, how to add some salt?
By the way, what is salt?

    protected function create(array $data)    {        return User::create([            'name' => $data['name'],            'email' => $data['email'],            'password' => bcrypt($data['password']),        ]);    }

Reply content:

Laravel 5.2's default password is encrypted. How can I add some salt?
By the way, what is salt?

    protected function create(array $data)    {        return User::create([            'name' => $data['name'],            'email' => $data['email'],            'password' => bcrypt($data['password']),        ]);    }

The password hash generated by bcrypt already contains salt.

Salt is a random string used to prevent reverse password detection from the rainbow table

No salt: the user password is 123456, And the silly programmer directly saves the hash ('123') in the database. After the bad guy obtains the database, he can directly reverse the password from the hash.

When there is salt: the user still uses 123456, and normal programmers save hash ('123' + salt) in the database)And saltThe bad guys can hardly restore the password from this hash after getting the database (brute-force cracking is still possible, but at least the low-cost rainbow table is discarded)

Https://github.com/laravel/framework/blob/5.1/src/Illuminate/Hashing/BcryptHasher.php

You can view the source code of this part,

// Laravel's bcrypt is $ hash = password_hash ($ value, PASSWORD_BCRYPT, ['cost' => 10]);

Because password_hash uses the crypt algorithm, it is involved in calculating the hash value:

The algorithm (just as the province can be known at the beginning of the ID card, determined by the format of the salt value), cost (10 by default) and salt value can be seen directly in $ hash!

Therefore, the salt value of bcrypt in Laravel is a character automatically generated by PHP, although the hash value calculated for each password is different.

However, with $ hash and password, you can verify the correctness of the password!

Specifically, for example

$ Hash = password_hash ('Password', PASSWORD_BCRYPT, ['cost' => 10]); echo $ hash; // For example, What I calculated this time is // $ hash = '$ 2y $10 $ dyajoutgjurg9xykgaactom4k1yezvgnkxhf6phulybcenk61bpm ';

We can see from the hash value of this crypt,
Because it starts with $ 2y $, its algorithm is CRYPT_BLOWFISH.

At the same time, the format of the salt value of the CRYPT_BLOWFISH algorithm is as follows:

Starting with $ 2y $ + one cost parameter + $ + 22 random characters ("./0-9A-Za-z ")

$ Hash (CRYPT_BLOWFISH is a fixed 60-bit value) = salt value + 31-bit one-way encrypted value

See https://secure.php.net/manual/en/function.crypt.php

Verify Password

If (password_verify ('Password', $ hash) {echo 'correct password. ';} else {echo' incorrect password! ';} // The principle is: if ($ hash = crypt ('Password',' $ 2y $10 $ DyAJOutGjURG9xyKgAaCtO ') {echo' the password is correct. ';} The else {echo' password is incorrect! ';}

If you write your own system and use PHP5.5 + or PHP7, you can consider using password_hash () and password_verify () in PHP, which is very convenient.