Hashing a password confirmation field

When the Auth component is enabled on a controller and the user submits a form with a field named password (regardless if it is being rendered in the login form), the component will automatically hash the password field before executing the controller's action.

This means that the action will never hold the plain password value, and this should be
particularly noted when utilizing mechanisms to confirm password validations. When you
are implementing such validation, make sure you hash the confirmation field using the
proper method:

if (!empty($this->data)) {
$this->data['User']['confirm_password'] = $this->Auth-
>password($this->data['User']['confirm_password']);
// Continue with processing
}