bcrypt is a good way to deal with password authentication. In PHP it is available via crypt with blowfish algorithm or a shortcut password_hash function current PHP versions are providing.
Yii framework project templates are using bcrypt for handling passwords. Framework components are providing polyfills ensuring bcrypt is used correctly.
bcrypt produces a compound hash that looks like the following:
$2y$13$YUUgrko03UmNU/fe6gNcO.Hka4lrdRlkq0iJ5d4bv4fK.sKS.6jXu
The string is always 60 characters long.
- 2y indicates algorithm. We are using blowfish so in current PHP versions it should
always be
2y
. - 13 is computation cost. 2^13 iterations of key derivation function.
- Rest of the string is concatenated salt, and hash encoded with base64 with a custom set of characters. First 22 symbols are 16 bytes salt. The rest are the hash itself.
When verifying a password input bcrypt extract algorithm version, cost, salt and hash from compound hash string of a saved password. Then, using the data extracted, it calculates a hash of the input and compares it with the hash we store.