I am checking out the bcrypt hash-algorithm.
My first test with password_hash():
echo password_hash("123", PASSWORD_BCRYPT, array( "salt" => "1234567890123456789012" ));
echo password_hash("123", PASSWORD_BCRYPT, array( "salt" => "1234567890123456789012xxxxxxxxxxxxxxx" ));
Both will return '$2y$10$123456789012345678901uiaLpJxTpf6VbfI5NADlsRsfvEm6aq9C'.
- Why the heck is the salt stored inside of the hash? This makes no sense at all for me. A attacker who gets the hashes from a database canĀ“t do anything with them, if he does not know the salt.
- Why do I get the same Hash with two different salts? Are only the first 22 chars used for the salt passed to the function?
Thank you very much!
The salt isn't a secret, it's generally stored in the database with the hash, and could just as well be stored directly in the hash, like
password_hash
does.The salt creates uniqueness so the hash can't easily be cracked with things like rainbow tables or dictionaries, it doesn't really add security other than making the hash more unique so running a dictionary or table against the hash doesn't match because it also includes the salt.
If you omit the salt, a random salt will be generated by
password_hash()
for each password hashed. This is the intended mode of operation, and you shouldn't supply your own salts.PHP7 will actually produce a warning telling you that using the salt option is deprecated.
The salt passed needs to be at least 22 characters, but most underlying algorithms, like bcrypt, doesn't use the entire salt, see this answer for more on that