1

I am using CakePHP for a school project where a filled in database is given to you.

Users are required to login by a username / password which I already made. The problem however, users in the database have an unencrypted password which I want to authenticate them with.

I can't find any way to disable the password hash check. I tried specifying a fallback password hasher like this.

$authenticationService->loadIdentifier('Authentication.Password', [
    'fields' => [
        'username' => 'username',
        'password' => 'password',
    ],
    'passwordHasher' => [
        'className' => 'Authentication.Fallback',
        'hashers' => [
            'Authentication.Default',
            [
                'className' => 'Authentication.Legacy',
                'hashType' => 'md5',
                'salt' => false
            ],
        ]
    ]
]);

But I can't find any way to disable the 'hashType'.

siebsie23
  • 41
  • 5
  • 3
    Whoever gave you that plaintext-password prefilled database, take them to a dark corner and slap them in the face with a wet fish until they beg for mercy... once you're done, update the database and hash the passwords. – ndm Sep 07 '21 at 12:16
  • 1
    @ndm You are right. I updated the database to a simple sha1 and let CakePHP rehash the password upon login. I hope they don't mind I changed stuff in the database and otherwise I'm going to the local supermarket to find some fish :) – siebsie23 Sep 07 '21 at 12:36

1 Answers1

3

I ended up not disabling password hashing, but using a fallback method as the one in my question.

I hashed all the passwords in my database with sha1 by using a SQL Query. (sha1 isn't secure, but that was not required in my case).

When a user logs in, CakePHP checks if the password has to be upgraded to a more secure hash and does so if required. (More info on CakePHP hashers/upgrading can be found here: https://book.cakephp.org/authentication/2/en/password-hashers.html)

siebsie23
  • 41
  • 5