I think there are more than a few problems with your usage. Number one is that, from the password_hash() documentation that:
password_hash() creates a new password hash using a strong one-way hashingalgorithm. password_hash() is compatible with crypt().Therefore, password hashes created by crypt() can be used with password_hash().
The following algorithms are currently supported:
- PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0).Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change overtime. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
- PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
- -x-SNIP-x-
Supported options for PASSWORD_BCRYPT:
- salt (string) - to manually provide a salt to use when hashing the password.Note that this will override and prevent a salt from being automatically generated.
If omitted, a random salt will be generated by password_hash() foreach password hashed. This is the intended mode of operation.
Warning
The salt option has been deprecated as of PHP 7.0.0. It is nowpreferred to simply use the salt that is generated by default.
- cost (integer) - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page.
If omitted, a default value of 10 will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
You are prepending the '$2y$' string to the output, meaning all of your hashes will begin with '$2y$$2y$', and likely will not be valid when compared with any other generation.
Second, while the PHP documentation for their function recommends not using your own salt, it is also likely not written with the idea of using in concert with another implementation. The salt required for bcrypt is 16 octets for Crypt::Eksblowfish::Bcrypt, but the version required for the PHP implementation is the 22 octet base_64 version:
$ perl -MCrypt::Eksblowfish::Bcrypt -le '
print q{Type: }, q{$2y$};
print q{Cost: }, q{08$};
print q{Salt: },
Crypt::Eksblowfish::Bcrypt::en_base64( q{123456789ABCDEF0} );
print q{Crypt: }, Crypt::Eksblowfish::Bcrypt::en_base64(
Crypt::Eksblowfish::Bcrypt::bcrypt_hash(
{ cost => 8, key_nul => 1, salt => q{123456789ABCDEF0}, },
q{mypassword},
),
);'
Type: $2y$
Cost: 08$
Salt: KRGxLBS0Lxe3OSHBPCTEK.
Crypt: Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S
$
$ php -a
Interactive shell
php > echo password_hash("mypassword", PASSWORD_BCRYPT,
php ( [ 'cost' => 8, 'salt' => 'KRGxLBS0Lxe3OSHBPCTEK.', ], );
$2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S
php > ^D
$
When placed in the same format, you will see that the results are indeed the same:
PHP: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S
Perl: $2y$08$KRGxLBS0Lxe3OSHBPCTEK.Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S
'$2y$' - Identify to crypt() the format used (bcrypt - '$2y$')
'08$ - Identify the cost value used
'KRGxLBS0Lxe3OSHBPCTEK.' - Salt value used
('123456789ABCDEF0').
'Z5VFP/2zEj1MNFdSZntUvutFe5uqO6S' - Hashed password ('mypassword').
Hope that helps.
