Given this example taken from http://php.net/manual/en/function.crypt.php
crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$')
Firstly: What is the length that the salt has to be if the hashing method is BLOWFISH?
This is the output I get for the above example:
$2a$07$usesomesillystringsaled/4C6/vYhuH1f.Z/Kwf8X.c.e0jjHay
Is it intentional that the salt, rounds, and what method of hashing I’m using are stored in the returned string? When I store passwords hashed in this behavior, do I store the entirety of the string starting with $2a ?
When checking the entered password against the one in the DB, how can I retrieve the salt from the string if there isn’t anything separating it from the rest of the hash?
EDIT: Why is this method any more secure than using, say, SHA512/256? If someone were to use a dictionary attack/brute force method on a bunch of hashes with the salts, would they be able to crack the passwords any quicker?
Yes, the storing of the salt and other encryption parameters in the string are intentional; it saves you having to do it manually and maintains backward-compatibility when the number of rounds must be updated.
As for the number of effective characters in the salt, it is 22. Therefore, these two lines will result in the same hash:
As for checking the result from the database, simply use the string from the database itself as the parameters for
crypt.Here is a demonstration.