Working with blowfish hashes is different than with other hash types. From the API docs of the hash method:
Comparing Hashes: Simply pass the originally hashed password as the salt.
This means in your case you first have to retrieve the hashed password for the specific user and then use it as the salt. Something like
$user = $this->User->find('first', array(
'conditions' => array(
'User.id' => AuthComponent::user('id')
),
'fields' => array('password')
));
$storedHash = $user['User']['password'];
$newHash = Security::hash($this->request->data['User']['old_password'], 'blowfish', $storedHash);
$correct = $storedHash == $newHash;