Using BCrypt in Lucee

We are migrating an old site from .NET over to CF/Lucee and they were using BCrypt to hash their passwords. Is there a way to do this in Lucee currently. I did a bit of digging, but everything is pretty old. Anyone successfully get this working?

BTW, I see Adobe added GenerateBCryptHash to CF this year.

As always, the client would like us to get this working and not cause any issues to their users.

Thanks in advance.


Lucee doesn’t have built-in support at the moment, but third-party options include cfPassPhrase which we’ve been using for a while, and Password4j which Ben blogged about recently.

Thanks @Julian_Halliwell! Right after I posted this topic, I stumbled across the cfPassPhrase Lucee Extension. Do you happen to have an example of how to fine tune the algorithm? The default cfPassPhrase settings are different and I can’t seem to find anywhere on the site how to pass the version of BCrypt ("$2a","$2y" or “$2b”) or the number of rounds.

When checking a hash you don’t need to pass any parameters. The algorithm/version and rounds used to create it are specified at the beginning the hash you are checking (between the $ signs).

When creating a hash, you can specify the rounds in the AlgorithmParams argument e.g. { rounds: 15 }

There are also a few modules on Forgebox:

Thanks guys, everything is working great!

ACF2021 added this function recently and in lucee have this enhancement ticket [LDEV-3409] ACF2021 - BCrypt - Lucee