How to create and store password hashes with Blowfish in PHP

Question

1) How do you create secure Blowfish hashes of passwords with crypt()?

$hash = crypt(\'somePassword\', \'$2a$07$nGYCCmhrzjrgdcxjH$\');
         


        

Answer 1

You should store the entire output of crypt, there's not a lot of point in splitting it up, because you need to generate a new salt for each password you're hashing in any case. Using a fixed hidden salt as mentioned by Matt is wrong - the salt should be different for every hash.

For more information see http://www.openwall.com/articles/PHP-Users-Passwords - I recommend using the phpass library because it handles generating a random salt for you, unlike crypt().