Free this password field as soon as you can, but if you don't want to risk losing users, you can do something similar in your auth method:
if (Auth::attempt(array('email' => Input::get('email'), 'password' => Input::get('password')))) { return Redirect::intended('dashboard'); } else { $user = User::where('email', Input::get('email'))->first(); if( $user && $user->password == md5(Input::get('password')) ) { $user->password = Hash::make(Input::get('password')); $user->save(); Auth::login($user->email); return Redirect::intended('dashboard'); } }
This basically changes the password from md5 to Hash every time a user logs in.
But you really need to think about sending a link to all your users so that they change their passwords.
EDIT:
To increase security even further, according to @martinstoeckli's comment, it would be better:
Hash all your current md5 passwords:
foreach(Users::all() as $user) { $user->password = Hash::make($user->password); $user->save(); }
And then use an even cleaner method to update your passwords:
$password = Input::get('password'); $email = Input::get('email'); if (Auth::attempt(array('email' => $email, 'password' => $password))) { return Redirect::intended('dashboard'); } else if (Auth::attempt(array('email' => $email, 'password' => md5($password)))) { Auth::user()->password = Hash::make($password); Auth::user()->save(); return Redirect::intended('dashboard'); }