PHP password_hash(), default or custom salt? [duplicate]
The really short answer to this question is to use password_hash()
with the default salt (your first option), custom salt is deprecated in PHP7 because, to quote php.net:
The salt option for the password_hash() function has been deprecated to prevent developers from generating their own (usually insecure) salts. The function itself generates a cryptographically secure salt when no salt is provided by the developer - therefore custom salt generation should not be needed.
By the same token, your third option, hash()
should be avoided as again you'll need to generate your own salt.