如何在PHP中将密码以BCRYPT的形式存储为数据库中的$ 2a $ 15

Question

I am wondering on how to store passwords as BCRYPT that starts with $2a$15 , because I have already setup my register and it already stores the passwords in BCRYPT .

However, when it stores the passwords as BCRYPT , the output is $2y$15 , but I want it as $2a$15 . I am new to BCRYPT and I find it quite hard to understand.

Anyway, here is my BCRYPT code:

function encryptedPassword($strPassword) {
    $strSHA256 = hash('sha256', $strPassword);
    $strBcrypt = password_hash($strSHA256, PASSWORD_BCRYPT, array('cost' => 15, 'salt' => bin2hex(openssl_random_pseudo_bytes(12))));
    return $strBcrypt;
}

So, say if my password is Hello123! . The output of that would be:

$2y$15$aa979703a103b0a45b2afO0KS15RjWu5Lc8sa4.xQlsw9QLtyhp/O

and I want it to be:

$2a$15$aa979703a103b0a45b2afO0KS15RjWu5Lc8sa4.xQlsw9QLtyhp/O

I don't know if this is to do with the salt, can someone help me?

Answer 1

From PHP manual:

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

So using BCRYPT will always produce $2y$. By the way, the begining part of the hash is just an identifier, used for testing the password afterwards with password_verify. Just like the $15$ in your case being the cost of the hashing algorithm...

I suggest you read more on PHP password hashing. There is absolutely no sane reason why you'd want a hash to absolutely start with X or Y...

The PHP folks have put great efforts on giving you secure password hashing functions. You should really try using them without hacking stuff around it. hashing a hash is no safer than just hashing once. The salt option is deprecated in PHP7, I'd suggest you get rid of it, PHP can handle it better than you.