redoPop/HashFormAuthenticate.php

## HashFormAuthenticate.php
<?php
App::uses('FormAuthenticate', 'Controller/Component/Auth');

class HashFormAuthenticate extends FormAuthenticate {

/**
 * Find a user record given a username and unhashed password.
 *
 * @param string $username The username/identifier.
 * @param string $password The unhashed password.
 * @return Mixed Either false on failure, or an array of user data.
 */
	protected function _findUser($username, $password) {
		$userModel = $this->settings['userModel'];
		list($plugin, $model) = pluginSplit($userModel);
		$fields = $this->settings['fields'];

		$conditions = array($model . '.' . $fields['username'] => $username);
		if (!empty($this->settings['scope'])) {
			$conditions = array_merge($conditions, $this->settings['scope']);
		}

		$result = ClassRegistry::init($userModel)->find('first', array(
			'conditions' => $conditions,
			'recursive' => 0,
		));

		// If no matching user record was found, return false
		if (empty($result) || empty($result[$model])) {
			return false;
		}

		// If the user's password hash doesn't match the results, return false
		if (!$this->checkPassword($password, $result[$model][$fields['password']])) {
			return false;
		}

		// Remove the password from the model data before returning the user
		unset($result[$model][$fields['password']]);

		return $result[$model];
	}

/**
 * Check a password against a hash.
 *
 * You can use any hash method you like. I'm using P5K -- my own library
 * that incorporates PBKDF2 hashes.
 *
 * Returns true if the password matches the hash, false otherwise.
 *
 * @param string $password The unhashed password.
 * @param string $hash The hash to check against.
 */
	public function checkPassword($password, $hash) {
		// (phpass/bcrypt check goes here!)

		// Check the password against a PBKDF2 value
		// https://github.com/jdbartlett/P5K
		if (substr($hash, 0, 6) == '$p5k2$') {
			App::uses('P5K', 'Lib');

			return P5K::check($password, $hash);
		}

		// Check the password against CakePHP's built in hash method
		return Security::hash($password, null, true) == $hash;
	}

}
	<?php
	App::uses('FormAuthenticate', 'Controller/Component/Auth');

	class HashFormAuthenticate extends FormAuthenticate {

	/**
	* Find a user record given a username and unhashed password.
	*
	* @param string $username The username/identifier.
	* @param string $password The unhashed password.
	* @return Mixed Either false on failure, or an array of user data.
	*/
	protected function _findUser($username, $password) {
	$userModel = $this->settings['userModel'];
	list($plugin, $model) = pluginSplit($userModel);
	$fields = $this->settings['fields'];

	$conditions = array($model . '.' . $fields['username'] => $username);
	if (!empty($this->settings['scope'])) {
	$conditions = array_merge($conditions, $this->settings['scope']);
	}

	$result = ClassRegistry::init($userModel)->find('first', array(
	'conditions' => $conditions,
	'recursive' => 0,
	));

	// If no matching user record was found, return false
	if (empty($result) \|\| empty($result[$model])) {
	return false;
	}

	// If the user's password hash doesn't match the results, return false
	if (!$this->checkPassword($password, $result[$model][$fields['password']])) {
	return false;
	}

	// Remove the password from the model data before returning the user
	unset($result[$model][$fields['password']]);

	return $result[$model];
	}

	/**
	* Check a password against a hash.
	*
	* You can use any hash method you like. I'm using P5K -- my own library
	* that incorporates PBKDF2 hashes.
	*
	* Returns true if the password matches the hash, false otherwise.
	*
	* @param string $password The unhashed password.
	* @param string $hash The hash to check against.
	*/
	public function checkPassword($password, $hash) {
	// (phpass/bcrypt check goes here!)

	// Check the password against a PBKDF2 value
	// https://github.com/jdbartlett/P5K
	if (substr($hash, 0, 6) == '$p5k2$') {
	App::uses('P5K', 'Lib');

	return P5K::check($password, $hash);
	}

	// Check the password against CakePHP's built in hash method
	return Security::hash($password, null, true) == $hash;
	}

	}