How to Validate Current Password Against User Input Using Laravel Validator?
Stefan Bogdanescu
Founder & Senior Architect · 2026-06-29
How to Validate Current Password Against User Input Using Laravel Validator
Implementing secure password change functionality is one of the most critical tasks in any application. When a user attempts to change their password, you must ensure they are entering the correct current password before allowing them to set a new one. This prevents unauthorized access and protects against malicious attempts to reset accounts.
As developers working with Laravel, we often lean on the powerful validation system. However, when dealing with sensitive data like passwords, simply comparing strings is not enough—we must deal with cryptographic hashes. The issue you encountered with using same:$pass highlights a crucial security distinction between simple string comparison and secure password verification.
This post will walk you through the correct, secure method for validating a user's current password against a stored hash within your Laravel application.
The Pitfall of Simple Validation Rules
You attempted to use $rules = array('password_current' => 'required|same:$pass');. While this syntax is valid in some contexts, it fails here because the same rule, when used in standard Laravel validation for comparing user input against a stored value, generally performs a simple string comparison. This approach is fundamentally insecure when dealing with password hashes.
Passwords are never stored in plain text; they are stored as salted and hashed values (using functions like bcrypt). If you compare the user's entered plain-text password directly against the stored hash using a simple validation rule, you are introducing a massive security vulnerability and an unreliable validation process.
The Secure Solution: Using Laravel's Hashing Capabilities
The correct approach is not to rely solely on the built-in validation rules for this specific comparison but to use PHP’s robust hashing functions, which Laravel provides access to via the Hash facade. This ensures that the comparison happens in a cryptographically secure manner.
Step 1: Retrieve and Store the Current Password Hash
First, ensure you have retrieved the stored hashed password for the user (let's assume it is stored in an Eloquent model).
// Example: Retrieving the stored hash from the database
$storedPasswordHash = $user->password; // This holds the hashed value
Step 2: Validate the Input Securely in Your Controller or Request
Instead of using a simple validation rule, you should perform the check before proceeding with the password update. You can use the Hash::check() method to securely compare the user's input against the stored hash.
Here is how you implement this logic within your controller method:
use Illuminate\Support\Facades\Hash;
use Illuminate\Http\Request;
class PasswordController extends Controller
{
public function changePassword(Request $request, User $user)
{
// 1. Validate the input fields (ensuring they exist)
$request->validate([
'current_password' => 'required',
'new_password' => 'required|min:8', // Example for the new password
]);
$inputPassword = $request->input('current_password');
$storedHash = $user->password; // Retrieve the hash from the model
// 2. Securely check if the entered password matches the stored hash
if (!Hash::check($inputPassword, $storedHash)) {
// If the passwords do not match, halt the process and return an error.
return back()->withErrors(['current_password' => 'The current password provided is incorrect.']);
}
// 3. If validation passes, proceed with updating the password
$user->password = Hash::make($request->input('new_password'));
$user->save();
return redirect('/profile')->with('success', 'Password successfully updated.');
}
}
Best Practices for Password Handling in Laravel
When dealing with authentication and sensitive data, it is essential to remember that relying solely on validation rules can obscure the actual security mechanism. As you build complex features using Laravel, always prioritize security by leveraging built-in helpers like the Hash facade. This practice aligns perfectly with the principles of secure development advocated by platforms like laravelcompany.com.
By explicitly using Hash::check(), you ensure that the comparison is handled by the underlying cryptographic functions, making your password validation robust and resistant to common security flaws.
Conclusion
To successfully validate a user's current password in Laravel, move beyond simple string comparisons within the validator. Instead, integrate the actual hashing mechanism provided by PHP into your controller logic using Hash::check(). This ensures that you are performing a cryptographic comparison, which is the only secure way to handle password verification. By adopting this approach, you ensure that your "Change Password" feature is not only functional but also fundamentally secure.