Can't you just do it the regular way, have fields for the hints and display those fields to user if they enter the right username? Why make things hard? I also use another framework that doesn't have csrf built in, but it was nothing to implement csrf protection based on this: http://shiflett.org/articles/cross-site-scripting. I like laravel, but I also like doing things a standard way sometimes, I don't worry about the laravel way. I even write long queries the regular way many times. But I know how to normalize a database and write efficient regular sql queries.
In fact for some who depend to much on "eloquent query syntax", what will they do if they get hired by a company where you have to write regular sql. I like eloquent a lot, but I insist on knowing the regular sql before converting to eloquent syntax.
Silly thing is at run time it's just converted to regular sql anyway. Eloquent isn't a new programming language, it has shortcut helpers. I get tired of seeing in the forum "the laravel way". Instead it would be nice to see the standard, regular way. But at least laravel gives you the freedom to choose things on your own. I.e., I can use blade or regular html. I like that. I am not forced to use blade. Bottom line is laravel is a good framework. But sometimes the "laravel way" might not always be the best way.

djtechonline said: I creating a new, blank Laravel 5 project to play with, but I do not see how to enable the views in resources/views/auth. Should I be creating routes to these? Documentation states only that "We've even provided views to get you started!"

I just made a fresh Laravel 5 project with laravel new testproject command, and it has everything set up for authentication: registration, login, and password reset. The auth-related routes from generated routes.php are:

Route::controllers([
	'auth' => 'Auth\AuthController',
	'password' => 'Auth\PasswordController',
]);

PasswordController is not just a single constructor. The meat of it is included as a trait:

	use ResetsPasswords; // Illuminate\Foundation\Auth\ResetsPasswords

jimgwhit:

I appreciate the feedback, however I disagree with you that there is a "Regular Way" to do things. In my opinion, your suggestion poses much more of a security threat as often a "hint" can be easily guessed. My alternative is to allow the user to choose between a specific type of security question or by offering a password reset request via email. If the user elects the latter, he/she must have access to their email account, thus better verifying authenticity. If they choose the security question, it will be much stronger than just displaying a hint.

As for CSRF, SQL and Eloquent: I agree that you should know how something works before using it. Albeit, I am very experienced with SQL and executing raw queries is not a problem for me and I know of many ways to prevent attacks. The purpose of choosing a Framework, such as Laravel, is to standardize your coding. If there is an official way for any framework to accomplish a task, I think it should be considered unless you have a specific reason not to. In any case, you should always know the standard code behind it.

Xum: I did see the routes you have mentioned. I believe my issue is with using traits. This concept is new to me and documentation on PHP site is still a bit confusing. I expected to see various controller actions as in Laravel4. I will look into this more and appreciate your help.