发表新帖
发表新帖

Blowfish in CakePHP is generating different passwords everytime

前端 未结
关注
3 1653
栀梦
栀梦 2020-12-21 14:23

I\'m having trouble implementing Blowfish Hashing in CakePHP. I\'ve done it many times before but something really strange is happening this time.

When I do this in

相关标签:
3条回答
  • 执念已碎
    2020-12-21 14:43

    This is expected behaviour. Blowfish hashes contain the randomly generated salt, the resulting hash, the number of rounds used to arrive at that resulting hash, and the method used for hashing. Let's break down your first example: Method: $2a Rounds: $10 Hash+Salt: $Ow67P5proa7LqBwlXCLFQOc/2WyfvSVNtBLNA5PMb2wxWuoK0mrvq

    When authenticating, the hash string is split by the $ delimiter, and grabs the salt out of the final token. It's usually a fixed length from the end depending on the algorithm used(in this case it's probably /2WyfvSVNtBLNA5PMb2wxWuoK0mrvq). The steps to authenticate are then:

    1. Get plaintext
    2. For 2^$Rounds:
    3. Hash plaintext or result of previous round.
    4. Append the $Salt to the result

    The hash is then $Method$Rounds$Result$Salt. Check the result against what is recorded in the database - if the output matches, the supplied plaintext is correct.

    0 讨论(0)
  • 一个人的身影
    2020-12-21 14:53

    maybe a posible reason if this will be for the Security.salt this should be empty or in the cakephp use the beforeFilter.

    this in your appcontroller.php

    public function beforeFilter() {
    Security::setHash('blowfish');
}

    now in your PeopleController.php

    public function beforeFilter() {
    parent::beforeFilter();
}

    and in you model of People

    public function beforeSave($options = array()) {
    // hash our password

    if (!$this->id) {
        $passwordHasher = new BlowfishPasswordHasher();
        $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
    }


    return true;
}
    0 讨论(0)
  • 鱼传尺愫
    2020-12-21 14:55

    Ultimately Security::_hash() is being used internally, which uses a pseudo random salt for use with crypt(), so that's the expected behavior, nothing wrong it.

    https://github.com/cakephp/cakephp/blob/2.4.6/lib/Cake/Utility/Security.php#L276

    Comparing passwords will work just fine, as it will use the salt of the stored password hash to generate a matching hash.

    0 讨论(0)
 看不清?
提交回复
热议问题