bcrypt and Randomly Generated Salts

Background

bcrypt is a password hashing algorithm that utilizes salting to enhance security. Salting involves incorporating random data into the password hash, ensuring that even identical passwords will produce different hashed results.

Salt Generation and Hashing

The provided PHP class includes a function called genSalt() that generates a random salt using the openssl_random_pseudo_bytes() function. This salt is then used as part of the bcrypt hashing process in the genHash() function.

The genHash() function takes a password and combines it with the randomly generated salt. The resulting hash is a mixture of the original password, salt, and an algorithm-specific prefix ($2y$) that indicates the bcrypt algorithm and its parameters (e.g., workload factor).

Password Verification

To verify a password, the provided verify() function compares the entered password with the stored hash. It does this by concatenating the supplied password with the stored hash and using the crypt() function to hash it again.

Understanding the Hash Comparison Logic

The key to understanding why the randomly generated salt does not affect the password verification is to examine the format of the stored hash. The hash consists of two main parts:

1. An algorithm prefix ($2y$), workload factor (e.g., 10), and salt (e.g., abcdefg...)
2. The hashed password

When the verify() function hashes the supplied password with the stored hash, it uses only the salt portion as its input. This ensures that the salt is incorporated into the verification process.

Conclusion

In summary, while bcrypt generates random salts to ensure password security, the password verification process takes into account only the salt portion of the stored hash. This allows the provided password to be verified against the stored hash, even though the salt is randomly generated.