CakePHP - How do I implement blowfish hashing for passwords?

Question

Struggling to find answers to a few basic questions about using Blowfish in Cake 2.4.

AppController.php

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'fields' => array(
                    'username' => 'email'
                ),
                'passwordHasher' => 'Blowfish'
            )
        )
    ),
    'Cookie',
    'Session'
);

What now? How do I log in?

UsersController.php

public function login() {

    if (!empty($this->request->data)) {

        if ($this->Auth->login()) {
            $this->redirect($this->Auth->redirectUrl());
        }

    }
}

What do I need to add to this? I'm getting the following error if I try to log in:

Warning (512): Invalid salt: for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. [CORE/Cake/Utility/Security.php, line 285]

Do I need to salt the password before attempting login, and if so, which method do I use and what is the best thing to use for the salt? Does Cake automatically try to use the salt from the core.php config file for all users?

I'm confused mainly because I don't know which parts of using blowfish in a standard PHP way CakePHP is trying to do automatically for me.

I'm having this issue too. Did you ever solve it? – Katelyn Aug 12 '14 at 03:10 — Katelyn, Aug 12 '14 at 03:10

score 9 · Accepted Answer · answered Jan 14 '14 at 12:48

You can’t use Blowfish if you already have a database filled with passwords hashed using another method. If so, they won’t be valid Blowfish-hashed passwords and you’ll get the error above.

In terms of implementing Blowfish for password hashing in a CakePHP application, the Cookbook has a dedicated section on using bcrypt (Blowfish) in authentication: http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

You set up the components array as you have done:

<?php
class AppController {

    public $components = array(
        'Auth' => array(
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            )
        )
    );
}

Then to generate a password you would use the password hasher class in a model. For example, a User model:

<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {

    public function beforeSave($options = array()) {
        // if ID is not set, we're inserting a new user as opposed to updating
        if (!$this->id) {
            $passwordHasher = new BlowfishPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
    }
}

Then to authenticate you don’t really need to do anything, as CakePHP’s authentication handler will do the password comparing for you:

<?php
class UsersController extends AppController {

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash( __('Username or password incorrect'));
            }
        }
    }
}

And that’s all there is to it.

`if (!$this->id) {}` is quite unconventional. I would not recommend that approach. especially if you also want to provide functionality for the user to be able to change his password. Using !empty() suits better here. See [here](http://www.dereuromark.de/2011/08/25/working-with-passwords-in-cakephp/). — mark, Jan 14 '14 at 12:52
Your example doesn't really add anything to what I have, as users cannot register themselves so there is no user creation by them. How should I store the hashed password in the database? Which datatype/length? — BadHorsie, Jan 14 '14 at 12:56
@mark Indeed, but I had an issue where, if I fetched `User` records, then saved them, if the password came in the result set (i.e. with a `find('all')` call) then the password was re-hashed, just because it was present, so therefore `!empty()` didn’t cut it. — Martin Bean, Jan 14 '14 at 15:04
@BadHorsie You would need to implement a controller action to add a user. Have a field in the form for password (`$this->Form->input('User.password');`) and CakePHP will do the rest. As for database column type: `CHAR(60)`. — Martin Bean, Jan 14 '14 at 15:05

score 1 · Answer 2 · answered Aug 19 '14 at 15:58

I've got an addition for all with the same problem: I saved the blowfish-hash as VARCHAR(50) which is too short in some cases. Caused by this, my login didn't work because the hash was wrong. Please ensure to use fields which adequate length (for Blowfish at least VARCHAR(123) ). Source

score 0 · Answer 3 · answered Sep 25 '15 at 09:35

I ran into similar problems when I was trying to port a project from 1.3.x to 2.7.x. I began with the complete database (ported from MySQL to PostgreSQL in the same process) but a very empty CakePHP applications. The problem was that the hashed passwords in my users table came from CakePHP 1.x. So the hashes in the table did not follow Blowfish conventions. It is this that triggers the error message. Blowfish hashes follow a complicate format. By the way,repeated hashes of the same string will be different.

Solution:

Change the passwords column in the users table to VARCHAR(128) (or more).
Empty the column.
Generate valid hash for the first logon.

In order to do the latter, I inserted the following lines in the UsersController.php:

public function login() {
  if ...
  // code for getting a start password:
  $passwordHasher = new BlowfishPasswordHasher();
  $mypasswd = $passwordHasher->hash('MyPasswordinClearText');
  debug($mypasswd);
  // end inserted code
  ...
}

Very crude, but effective. Now I could log on to continue developing in the same project. Remove the code once you can log in.

CakePHP - How do I implement blowfish hashing for passwords?

3 Answers3

Linked