Using Md5 for password hash in Auth component of Cakephp 2.x

Question

I have an existing website, built using CakePhp 1.3. In that website I have used MD5 algorithm for the password hash.

Now I want to upgrade my CakePhp version to 2.3

Answer 1

Don't use md5 for passwords

md5 is not an appropriate hashing algorithm for hashing passwords, don't use it. There are many, many references which explain why - including the php manual:

Why are common hashing functions such as md5() and sha1() unsuitable for passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

How to change the default hash algorithm

You can change the default hashing algorithm using setHash, a recommended hash algorithm for passwords is blowfish:

Security::setHash('blowfish');

How to handle existing passwords

If you really want to, you can just change setHash to use md5.

But that's not a good idea.

Don't compromise the security of a new/updated application just to accommodate the poor security of the old one. Instead of using the same hash algoritm (and salt) as the previous application you can use logic such as the following (pseudo-ish code):

$username = $this->data['User']['username'];
$plainText = $this->data['User']['password'];

$user = current($this->User->findByUsername($username));

Security::setHash('blowfish');
$blowfished = Security::hash($plainText, 'blowfish', $user['password']);

if ($blowfished === $user['password']) {
    return true; // user exists, password is correct
}

$oldSalt = Configure::read('configure.this');
$md5ed = Security::hash($plainText, 'md5', $oldSalt);

if ($md5ed === $user['password']) {
    $this->User->id = $user['id'];

    $blowfished = Security::hash($plainText);
    $this->User->saveField('password', $blowfished);

    return true; // user exists, password now updated to blowfish
}

return false; // user's password does not exist.

This kind of logic is not complex, and prevents the need to continue using a bad hash algorithm.