CakePHP - How do I implement blowfish hashing for passwords?

BadHorsie picture BadHorsie · Jan 14, 2014 · Viewed 11.4k times · Source

Struggling to find answers to a few basic questions about using Blowfish in Cake 2.4.

AppController.php

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'fields' => array(
                    'username' => 'email'
                ),
                'passwordHasher' => 'Blowfish'
            )
        )
    ),
    'Cookie',
    'Session'
);

What now? How do I log in?

UsersController.php

public function login() {

    if (!empty($this->request->data)) {

        if ($this->Auth->login()) {
            $this->redirect($this->Auth->redirectUrl());
        }

    }
}

What do I need to add to this? I'm getting the following error if I try to log in:

Warning (512): Invalid salt: for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. [CORE/Cake/Utility/Security.php, line 285]

Do I need to salt the password before attempting login, and if so, which method do I use and what is the best thing to use for the salt? Does Cake automatically try to use the salt from the core.php config file for all users?

I'm confused mainly because I don't know which parts of using blowfish in a standard PHP way CakePHP is trying to do automatically for me.

Answer

Martin Bean picture Martin Bean · Jan 14, 2014

You can’t use Blowfish if you already have a database filled with passwords hashed using another method. If so, they won’t be valid Blowfish-hashed passwords and you’ll get the error above.

In terms of implementing Blowfish for password hashing in a CakePHP application, the Cookbook has a dedicated section on using bcrypt (Blowfish) in authentication: http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

You set up the components array as you have done:

<?php
class AppController {

    public $components = array(
        'Auth' => array(
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            )
        )
    );
}

Then to generate a password you would use the password hasher class in a model. For example, a User model:

<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {

    public function beforeSave($options = array()) {
        // if ID is not set, we're inserting a new user as opposed to updating
        if (!$this->id) {
            $passwordHasher = new BlowfishPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
    }
}

Then to authenticate you don’t really need to do anything, as CakePHP’s authentication handler will do the password comparing for you:

<?php
class UsersController extends AppController {

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash( __('Username or password incorrect'));
            }
        }
    }
}

And that’s all there is to it.