Comparing passwords with crypt() in PHP

Following code example may answer your questions.

To generate hashed password using Blowfish, you first need to generate a salt, which starts with $2a$ followed by iteration count and 22 characters of Base64 string.

$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';$digest = crypt('rasmuslerdorf', $salt);

Store the whole $digest in database, it has both the salt and digest.

When comparing password, just do this,

  if (crypt($user_input, $digest) == $digest)

You are reusing the digest as salt. crypt knows how long is the salt from the algorithm identifier.

New salt for every password

$password = 'p@ssw0rd';$salt = uniqid('', true);$algo = '6'; // CRYPT_SHA512$rounds = '5042';$cryptSalt = '$'.$algo.'$rounds='.$rounds.'$'.$salt;$hashedPassword = crypt($password, $cryptSalt);// Store complete $hashedPassword in DBecho "<hr>$password<hr>$algo<hr>$rounds<hr>$cryptSalt<hr>$hashedPassword";

Authentication

if (crypt($passwordFromPost, $hashedPasswordInDb) == $hashedPasswordInDb) {    // Authenticated

Quoting from the manual

CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 base 64 digits from the alphabet

Note: 22 base 64 digits