hortonzebra
New Member
I have been looking into the best way to encrypt passwords for use with my panel, I decided to go ahead and use BCRYPT, simply due to the cost of each encryption and the fact that it is generally regarded as one of the best available at the current time.I am using two-way salts, so a unique salt that each user has, and then obviously the salt stored within my application, I noticed some rather strange behavior.. and according to the PHP Documentation this behavior is normal?Anyway, here is the code I use:\[code\]$Crypto = new Crypto;echo $Crypto->encrypt( "123456789abcdefghijklm", "StackOverflow_Is_Awesome!" ); // First parameter being the "User Salt", second being the password.// Above outputs $2y$13$123456789abcdefghijkleepFY8JLvsf2YbnWolqQyO3DIzrCeNIu\[/code\]And now, the Crypto class:\[code\]<?php// ASSUMING $this->hashingSalt = HBSNi3y7ruhbVGkhdg83ijdbvghiojkgudL;JPclass Crypto {private $hashingSalt, $database;public function __construct( $salt ){ $this->hashingSalt = $salt; $this->database = new DatabaseFunctions();}public function encrypt( $salt, $password ){ $options = array( 'cost' => 13, 'salt' => $salt //22 chars ); return password_hash( $password . $this->hashingSalt, PASSWORD_BCRYPT, $options);}}\[/code\]So, my interest is, why on earth is this function simply adding the salt set within the options to the start of the outputted string? It really is baffling... because that isn't exactly what I would call secure, rather defeats the object to me.Can anyone advise, try and explain what I am completely looking past? ThanksPHP Doc: http://php.net/manual/en/function.password-hash.php