Dan Dan - 1 month ago 12
PHP Question

password_hash: any advantages of automatically generated salt over manual?

If I understand correct, any PHP upgrade, or moving to different server will make previously hashed passwords (stored in database) useless? Because the salt will be different on a new system.

This makes me curious about the use cases for automatically generated salt.

Answer

password_hash() now (as of PHP 7.1.*) only uses bcrypt for hashing passwords. Salt is saved along with the hash, so upgrade or moving to another server will not make hashes useless.

As @Jay Blanchard says in his comment, auto salts are an advantage because you don't have to care. Furthermore, the salt option is deprecated as of PHP 7.0.0 in password_hash bcrypt algorithm, so PHP will always use automatically generated salt.

See also the Password Hashing Functions at Documentation.

Comments