CakePHP - How do I implement blowfish hashing for passwords?

Question

Struggling to find answers to a few basic questions about using Blowfish in Cake 2.4.

AppController.php

public $components = array(
    'Auth' => array(
        'authenticate' => array(
            'Form' => array(
                'fields' => array(
                    'username' => 'email'
                ),
                'passwordHasher' => 'Blowfish'
            )
        )
    ),
    'Cookie',
    'Session'
);

What now? How do I log in?

UsersController.php

public function login() {

    if (!empty($this->request->data)) {

        if ($this->Auth->login()) {
            $this->redirect($this->Auth->redirectUrl());
        }

    }
}

What do I need to add to this? I'm getting the following error if I try to log in:

Warning (512): Invalid salt: for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts. [CORE/Cake/Utility/Security.php, line 285]

Do I need to salt the password before attempting login, and if so, which method do I use and what is the best thing to use for the salt? Does Cake automatically try to use the salt from the core.php config file for all users?

I'm confused mainly because I don't know which parts of using blowfish in a standard PHP way CakePHP is trying to do automatically for me.

Answer 1

You can’t use Blowfish if you already have a database filled with passwords hashed using another method. If so, they won’t be valid Blowfish-hashed passwords and you’ll get the error above.

In terms of implementing Blowfish for password hashing in a CakePHP application, the Cookbook has a dedicated section on using bcrypt (Blowfish) in authentication: http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#using-bcrypt-for-passwords

You set up the components array as you have done:

<?php
class AppController {

    public $components = array(
        'Auth' => array(
            'authenticate' => array(
                'Form' => array(
                    'passwordHasher' => 'Blowfish'
                )
            )
        )
    );
}

Then to generate a password you would use the password hasher class in a model. For example, a User model:

<?php
App::uses('BlowfishPasswordHasher', 'Controller/Component/Auth');

class User extends AppModel {

    public function beforeSave($options = array()) {
        // if ID is not set, we're inserting a new user as opposed to updating
        if (!$this->id) {
            $passwordHasher = new BlowfishPasswordHasher();
            $this->data[$this->alias]['password'] = $passwordHasher->hash($this->data[$this->alias]['password']);
        }
        return true;
    }
}

Then to authenticate you don’t really need to do anything, as CakePHP’s authentication handler will do the password comparing for you:

<?php
class UsersController extends AppController {

    public function login() {
        if ($this->request->is('post')) {
            if ($this->Auth->login()) {
                return $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash( __('Username or password incorrect'));
            }
        }
    }
}

And that’s all there is to it.

Answer 2

I've got an addition for all with the same problem: I saved the blowfish-hash as VARCHAR(50) which is too short in some cases. Caused by this, my login didn't work because the hash was wrong. Please ensure to use fields which adequate length (for Blowfish at least VARCHAR(123) ). Source

Answer 3

I ran into similar problems when I was trying to port a project from 1.3.x to 2.7.x. I began with the complete database (ported from MySQL to PostgreSQL in the same process) but a very empty CakePHP applications. The problem was that the hashed passwords in my users table came from CakePHP 1.x. So the hashes in the table did not follow Blowfish conventions. It is this that triggers the error message. Blowfish hashes follow a complicate format. By the way,repeated hashes of the same string will be different.

Solution:

1. Change the passwords column in the users table to VARCHAR(128) (or more).
2. Empty the column.
3. Generate valid hash for the first logon.

In order to do the latter, I inserted the following lines in the UsersController.php:

public function login() {
  if ...
  // code for getting a start password:
  $passwordHasher = new BlowfishPasswordHasher();
  $mypasswd = $passwordHasher->hash('MyPasswordinClearText');
  debug($mypasswd);
  // end inserted code
  ...
}

Very crude, but effective. Now I could log on to continue developing in the same project. Remove the code once you can log in.