Where is the salt stored for password_hash?

Question

According to (relatively) new PHP documentation:

The password_hash function uses a random salt (which we should not worry about.. O_O), so if I understand correctly

Answer 1

Let's learn by example from what everyone else is telling you:

$options = [
    'cost' => 11,
    'salt' => 'abcdefghijklmnopqrstuv',
];
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT, $options)."\n";

Output:

$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm

The bolded parts are your cost and salt, respectively embedded in the resulting hash.

You can spit this back into password_verify and it will handle it accordingly:

print_r(password_verify('rasmuslerdorf', '$2y$11$abcdefghijklmnopqrstuu7aZVUzfW85EB4mHER81Oudv/rT.rmWm')); // true