CakePHP - How do I implement blowfish hashing for passwords?

cakephp cakephp-2.0 blowfish cakephp-2.4

11,563

Solution 1

You can’t use Blowfish if you already have a database filled with passwords hashed using another method. If so, they won’t be valid Blowfish-hashed passwords and you’ll get the error above.

In terms of implementing Blowfish for password hashing in a CakePHP application, the Cookbook has a dedicated section on using bcrypt (Blowfish) in authentication: http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

You set up the components array as you have done:

<?php
class AppController {

    public $components = array(
        'Auth' => array(
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            )
        )
    );
}

Then to generate a password you would use the password hasher class in a model. For example, a User model:

<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {

    public function beforeSave($options = array()) {
        // if ID is not set, we're inserting a new user as opposed to updating
        if (!$this->id) {
            $passwordHasher = new BlowfishPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
    }
}

Then to authenticate you don’t really need to do anything, as CakePHP’s authentication handler will do the password comparing for you:

<?php
class UsersController extends AppController {

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash( __('Username or password incorrect'));
            }
        }
    }
}

And that’s all there is to it.

Solution 2

I've got an addition for all with the same problem: I saved the blowfish-hash as VARCHAR(50) which is too short in some cases. Caused by this, my login didn't work because the hash was wrong. Please ensure to use fields which adequate length (for Blowfish at least VARCHAR(123) ). Source

11,563

BadHorsie

Updated on June 04, 2022

Comments

BadHorsie almost 2 years
Struggling to find answers to a few basic questions about using Blowfish in Cake 2.4.

AppController.php
```
public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'fields' => array(
                    'username' => 'email'
                ),
                'passwordHasher' => 'Blowfish'
            )
        )
    ),
    'Cookie',
    'Session'
);
```
What now? How do I log in?

UsersController.php
```
public function login() {

    if (!empty($this->request->data)) {

        if ($this->Auth->login()) {
            $this->redirect($this->Auth->redirectUrl());
        }

    }
}
```
What do I need to add to this? I'm getting the following error if I try to log in:

Warning (512): Invalid salt: for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. [CORE/Cake/Utility/Security.php, line 285]

Do I need to salt the password before attempting login, and if so, which method do I use and what is the best thing to use for the salt? Does Cake automatically try to use the salt from the core.php config file for all users?

I'm confused mainly because I don't know which parts of using blowfish in a standard PHP way CakePHP is trying to do automatically for me.
- Katelyn over 9 years
  
  I'm having this issue too. Did you ever solve it?
mark over 10 years

if (!$this->id) {} is quite unconventional. I would not recommend that approach. especially if you also want to provide functionality for the user to be able to change his password. Using !empty() suits better here. See here.
BadHorsie over 10 years

Your example doesn't really add anything to what I have, as users cannot register themselves so there is no user creation by them. How should I store the hashed password in the database? Which datatype/length?
Martin Bean over 10 years

@mark Indeed, but I had an issue where, if I fetched User records, then saved them, if the password came in the result set (i.e. with a find('all') call) then the password was re-hashed, just because it was present, so therefore !empty() didn’t cut it.
Martin Bean over 10 years

@BadHorsie You would need to implement a controller action to add a user. Have a field in the form for password ($this->Form->input('User.password');) and CakePHP will do the rest. As for database column type: CHAR(60).