We are migrating an old site from .NET over to CF/Lucee and they were using BCrypt to hash their passwords. Is there a way to do this in Lucee currently. I did a bit of digging, but everything is pretty old. Anyone successfully get this working?
BTW, I see Adobe added GenerateBCryptHash to CF this year.
As always, the client would like us to get this working and not cause any issues to their users.
Thanks in advance.
W
Lucee doesn’t have built-in support at the moment, but third-party options include cfPassPhrase which we’ve been using for a while, and Password4j which Ben blogged about recently.
Thanks @Julian_Halliwell! Right after I posted this topic, I stumbled across the cfPassPhrase Lucee Extension. Do you happen to have an example of how to fine tune the algorithm? The default cfPassPhrase settings are different and I can’t seem to find anywhere on the site how to pass the version of BCrypt (“$2a”,“$2y” or “$2b”) or the number of rounds.
When checking a hash you don’t need to pass any parameters. The algorithm/version and rounds used to create it are specified at the beginning the hash you are checking (between the $ signs).
When creating a hash, you can specify the rounds in the AlgorithmParams argument e.g. { rounds: 15 }
https://docs.sorcerersisle.com/cfpassphrase/functions/PassphraseHash
There are also a few modules on Forgebox:
https://forgebox.io/?search=bcrypt
Thanks guys, everything is working great!
ACF2021 added this function recently and in lucee have this enhancement ticket [LDEV-3409] - Lucee