Yii framework project templates are using bcrypt for handling passwords. Framework components are providing polyfills ensuring bcrypt is used correctly.
bcrypt produces a compound hash that looks like the following:
The string is always 60 characters long.
- 2y indicates algorithm. We are using blowfish so in current PHP versions it should
- 13 is computation cost. 2^13 iterations of key derivation function.
- Rest of the string is concatenated salt, and hash encoded with base64 with a custom set of characters. First 22 symbols are 16 bytes salt. The rest are the hash itself.
When verifying a password input bcrypt extract algorithm version, cost, salt and hash from compound hash string of a saved password. Then, using the data extracted, it calculates a hash of the input and compares it with the hash we store.