We are migrating an old site from .NET over to CF/Lucee and they were using BCrypt to hash their passwords. Is there a way to do this in Lucee currently. I did a bit of digging, but everything is pretty old. Anyone successfully get this working?
BTW, I see Adobe added GenerateBCryptHash to CF this year.
As always, the client would like us to get this working and not cause any issues to their users.
Thanks in advance.
W
Lucee doesn’t have built-in support at the moment, but third-party options include cfPassPhrase which we’ve been using for a while, and Password4j which Ben blogged about recently.
Thanks @Julian_Halliwell! Right after I posted this topic, I stumbled across the cfPassPhrase Lucee Extension. Do you happen to have an example of how to fine tune the algorithm? The default cfPassPhrase settings are different and I can’t seem to find anywhere on the site how to pass the version of BCrypt (“$2a”,“$2y” or “$2b”) or the number of rounds.
When checking a hash you don’t need to pass any parameters. The algorithm/version and rounds used to create it are specified at the beginning the hash you are checking (between the $ signs).
When creating a hash, you can specify the rounds in the AlgorithmParams argument e.g. { rounds: 15 }
https://docs.sorcerersisle.com/cfpassphrase/functions/PassphraseHash
There are also a few modules on Forgebox:
https://forgebox.io/?search=bcrypt
Thanks guys, everything is working great!
ACF2021 added this function recently and in lucee have this enhancement ticket [LDEV-3409] - Lucee
I was looking at various options to add Bcrypt in Lucee 6.2.x and most were quite old and not maintained.
The one that appears to be the best for being up to date is password4j , where I can download the JAR at https://repo1.maven.org/maven2/com/password4j/password4j/1.7.0/password4j-1.7.0.jar
Would this be the best one to use or does anybody think there are better options?
It looks like that is the best option for Lucee 6.x. We are still running Lucee 5.x in production and are using - GitHub - andrew-dixon/cfpassphrase-extension: An extension version of cfpassphrase for Lucee 5. cfpassphrase original repo can be found here: https://github.com/boughtonp/cfpassphrase
Has worked great, but not sure if it will work with Lucee 6.x. Since there is the original source code, I thought I would share it 
They just use the mindrot code or jar. I just copy the mindrot BCrypt.jar in the context/lib folder and then just CreateObject(), and then gensalt() and hashpw().