Changing password with CakePHP and blowfish

4
votes

I'm trying to set up a form to allow a user to change their password using CakePHP 2.3. The algorithm being used is blowfish. I have the following three fields:

<?php echo $this->Form->input('old_password', array('type' => 'password', 'autocomplete' => 'off')); ?>
<?php echo $this->Form->input('new_password', array('type' => 'password', 'autocomplete' => 'off')); ?>
<?php echo $this->Form->input('new_password_confirm', array('type' => 'password', 'autocomplete' => 'off', 'label' => 'Confirm Password')); ?>

Here is the code where I'm trying to verify they entered their old password correctly:

$hash = Security::hash($this->request->data['User']['old_password'], 'blowfish');
$correct = $this->User->find('first', array(
    'conditions' => array(
        'User.id' => AuthComponent::user('id'),
        'User.password' => $hash
    ),
    'fields' => array('id')
));

The problem is that even though I type in the old password correctly, Cake never finds the user because it doesn't seem to be calculating the correct hash. Each time I submit the form with the same old password, Cake generates a different hash every time. This is likely due to my lack of understanding of how the blowfish/bcrypt algorithm works, but I can't seem to figure it out.

What am I missing here?

2
cakephpcakephp-2.0bcryptblowfish

2 Answers

16
votes

Working with blowfish hashes is different than with other hash types. From the API docs of the hash method:

Comparing Hashes: Simply pass the originally hashed password as the salt.

This means in your case you first have to retrieve the hashed password for the specific user and then use it as the salt. Something like

$user = $this->User->find('first', array(
  'conditions' => array(
    'User.id' => AuthComponent::user('id')
  ),
  'fields' => array('password')
));
$storedHash = $user['User']['password'];
$newHash = Security::hash($this->request->data['User']['old_password'], 'blowfish', $storedHash);
$correct = $storedHash == $newHash;
2
votes

Is Easy add in Models for example Users.

Link source: https://bitbucket.org/snippets/eom/arzxR

/**
 * Users Model
 */
class Users extends AppModel
{
.........

public function beforeSave($options = array()) {
    parent::beforeSave($options);
    // Save new password is exist..?
    if (isset($this->data[$this->alias]['password'])==true) {
        // Security bcrypt Blowfish
        App::uses('Security', 'Utility');
        $hash = Security::hash($this->data[$this->alias]['password'], 'blowfish');
        $this->data[$this->alias]['password'] = $hash;
    }
    return true;
}

public function password_check($user_id = null, $password_check = null) {
    // Get password old
    $hash_old = $this->field('password',array('id'=>trim($user_id)));
    // Security bcrypt Blowfish
    App::uses('Security', 'Utility');
    $hash_new_check = Security::hash($password_check, 'blowfish', $hash_old);
    // Son iguales
    if($hash_new_check == $hash_old){
        return true;
    }
    return false;
}

public function password_update($user_id = null, $password_new = null) {
    // Update new password
    if($this->save(array('id'=>$user_id, 'password'=>$password_new))){
        return true;
    }
    return false;
}

    .........
}