Using BCrypt in Lucee

We are migrating an old site from .NET over to CF/Lucee and they were using BCrypt to hash their passwords. Is there a way to do this in Lucee currently. I did a bit of digging, but everything is pretty old. Anyone successfully get this working?

BTW, I see Adobe added GenerateBCryptHash to CF this year.

As always, the client would like us to get this working and not cause any issues to their users.

Thanks in advance.

W

Lucee doesn’t have built-in support at the moment, but third-party options include cfPassPhrase which we’ve been using for a while, and Password4j which Ben blogged about recently.

Thanks @Julian_Halliwell! Right after I posted this topic, I stumbled across the cfPassPhrase Lucee Extension. Do you happen to have an example of how to fine tune the algorithm? The default cfPassPhrase settings are different and I can’t seem to find anywhere on the site how to pass the version of BCrypt ("$2a","$2y" or “$2b”) or the number of rounds.

When checking a hash you don’t need to pass any parameters. The algorithm/version and rounds used to create it are specified at the beginning the hash you are checking (between the $ signs).

When creating a hash, you can specify the rounds in the AlgorithmParams argument e.g. { rounds: 15 }

https://docs.sorcerersisle.com/cfpassphrase/functions/PassphraseHash

There are also a few modules on Forgebox:
https://forgebox.io/?search=bcrypt

Thanks guys, everything is working great!

ACF2021 added this function recently and in lucee have this enhancement ticket [LDEV-3409] ACF2021 - BCrypt - Lucee