CakePHP - Authenticating with MD5

Question

I'm working on a CakePHP application that needs to connect to a remote database for authentication. Passwords are stored with MD5 encryption, when I was coding the app, I used sha encryption for my localhost database, now the app doesn't allow me to login to since the schema are different. How can I force cakePHP to authenticate users using MD5?

Answer 1

reference taken from here

I do not recommend the use of this code in any scenario, ever. MD5 is a horrible hashing algorithm for security as it is too resource-light to discourage cracking. It also has known vulnerabilities. Use bcrypt or SHA-512.

To do this, you can edit AppController.php like this:

<?php
// AppController.php

public function beforeFilter()
{
    Security::setHash('md5');
}
?>

However, this is not recommended as MD5 is a very poor password hashing algorithm. You're far better adding a function to allow users to login with existing md5 passwords, encouraging them to upgrade to the new hash, and not allowing any new users to set MD5 passwords.

If, instead you want to use a secure function like bcrypt, you can do the following:

<?php
// AppController.php

public function beforeFilter()
{
    Security::setHash('blowfish');
}
?>

When comparing plaintext values to hashes, you have to pass the original hash as the salt value in order to retain cost parameters etc:

$newHash = Security::hash($newPassword, 'blowfish', $storedPassword);