bcrypt is a good way to deal with password authentication. In PHP it is available via crypt with blowfish algorithm or a shortcut password_hash function current PHP versions are providing.

Yii framework project templates are using bcrypt for handling passwords. Framework components are providing polyfills ensuring bcrypt is used correctly.

bcrypt produces a compound hash that looks like the following:

$2y$13$YUUgrko03UmNU/fe6gNcO.Hka4lrdRlkq0iJ5d4bv4fK.sKS.6jXu

The string is always 60 characters long.

• 2y indicates algorithm. We are using blowfish so in current PHP versions it should always be 2y.
• 13 is computation cost. 2^13 iterations of key derivation function.
• Rest of the string is concatenated salt, and hash encoded with base64 with a custom set of characters. First 22 symbols are 16 bytes salt. The rest are the hash itself.

When verifying a password input bcrypt extract algorithm version, cost, salt and hash from compound hash string of a saved password. Then, using the data extracted, it calculates a hash of the input and compares it with the hash we store.

• bcrypt
• password
• php

Back to posts