All geek questions in one place

Using a more secure hash algorithm with CakePHP

By default, CakePHP seems to use the SHA1 algorithm for hash passwords and appears to offer SHA256 as an alternative:

http://api.cakephp.org/view_source/security#line-86

I wanted to switch to a more secure solution for password hashing before making my application publicly available to save future headaches when switching to a more secure hash algorithm. I looked through several guides for using bcrypt or something similar, but they all look for older versions of Cake or have poor hash implementation.

Is there a guide somewhere that can show me how to integrate better password hashing without changing the code in my models or controllers?

Also, a small question, why did Cake developers only include hashed SHA passwords in their release? It is well known that SHA is a broken hash algorithm for passwords, it seems to me that such an authoritative structure would not miss this.

+6
source share
1 answer

On this ticket, CakePHP Member Mark Story mentions that bcrypt will be supported in CakePHP 2.3 (not yet released) and will become standard / default in 3.0.

In addition, in this blog post, Mark talks about what changes are needed to use bcrypt in CakePHP 2.0. This is relatively minor, although changes will be required for your user model.

Borrowing the code from this post, what Mark did was subclass FormAuthenticate:

<?php App::uses('FormAuthenticate', 'Controller/Component/Auth'); class BcryptFormAuthenticate extends FormAuthenticate { /** * The cost factor for the hashing. * * @var integer */ public static $cost = 10; /** * Password method used for logging in. * * @param string $password Password. * @return string Hashed password. */ protected function _password($password) { return self::hash($password); } /** * Create a blowfish / bcrypt hash. * Individual salts could/should used to be even more secure. * * @param string $password Password. * @return string Hashed password. */ public static function hash($password) { $salt = substr(Configure::read('Security.salt'), 0, 22); return crypt($password, '$2a$' . self::$cost . '$' . $salt); } }

Then an update was made to the array of controller components:

 <?php public $components = array( 'Auth' => array( 'authenticate' => 'BcryptForm', // other keys. ) );

And finally, updating the beforeSave user model beforeSave :

 <?php App::uses('BcryptFormAuthenticate', 'Controller/Component/Auth'); class User extends AppModel { function beforeSave() { if (isset($this->data['User']['password'])) { $this->data['User']['password'] = BcryptFormAuthenticate::hash($this->data['User']['password']); } return true; } }
+7
source

Source: https://habr.com/ru/post/921454/

More articles:


All Articles