password_hash: any advantages of automatically generated salt over manual?

Question

If I understand correct, any PHP upgrade, or moving to different server will make previously hashed passwords (stored in database) useless? Because the salt will be different on a new system.

This makes me curious about the use cases for automatically generated salt.

Answer 1

password_hash() now (as of PHP 7.1.*) only uses bcrypt for hashing passwords. Salt is saved along with the hash, so upgrade or moving to another server will not make hashes useless.

As @Jay Blanchard says in his comment , auto salts are an advantage because you just don't have to care. All is conveniently and automatically handled.

You even should not create the salt yourself, as it is also very easy to make a mistake when generating the salt yourself (non-random salt, incorrect random source for salt, etc).

Furthermore, the salt option is deprecated as of PHP 7.0.0 in password_hash bcrypt algorithm, so PHP will always use automatically generated salt.

Answer 2

The salt is generated for each password and is stored as a part of the string you get back from the password_hash function. So it will be different for each time you hash a password. The reason we use salt in passwords is to get a new hash every time one is created, so if two users use the password "hunter2" they will be stored as totally different values in the database making rainbow tables useless.

So moving to a new server will not make the previously hashed passwords useless.

Answer 3

if you want to use manual salt, you can use it. even if you move to new server, the previous password will not be useless.

Trick is you can store your manual salt string where you usually store constants of your site, For example, Db username, DB password....

so even if you move to the new server you still use your manual salt string and previously salted data.