github twitter linkedin email rss
bcrypt hash
Mar 23, 2017
1 minute read

bcrypt is a good way to deal with password authentication. In PHP it is available via crypt with blowfish algorithm or a shortcut password_hash function current PHP versions are providing.

Yii framework project templates are using bcrypt for handling passwords. Framework components are providing polyfills ensuring bcrypt is used correctly.

bcrypt produces a compound hash that looks like the following:


The string is always 60 characters long.

  • 2y indicates algorithm. We are using blowfish so in current PHP versions it should always be 2y.
  • 13 is computation cost. 2^13 iterations of key derivation function.
  • Rest of the string is concatenated salt, and hash encoded with base64 with a custom set of characters. First 22 symbols are 16 bytes salt. The rest are the hash itself.

When verifying a password input bcrypt extract algorithm version, cost, salt and hash from compound hash string of a saved password. Then, using the data extracted, it calculates a hash of the input and compares it with the hash we store.

Back to posts

comments powered by Disqus