Password_hash and default salt is it enough? [duplicate]

https://stackoverflow.com/questions/23207835

PHP
bcrypt
password-hash

07-07-2023
|

Question

I was wondering if

password_hash("custompassgoeshere", PASSWORD_BCRYPT)

Is secure enough in order to store passwords to the DB or if I should add some more SALT in it (I was thinking something like user's username/email/date of birth/etc).

Thanks!

Solution

Bcrypt would be secure enough on its own., ensure that you increase the iterations/cost to something high enough (but not too slow for your server). You may need to test a few values to test for acceptable hashing times.

You do not need to salt your passwords, Bcrypt generates unique salts for each hash automatically and stores it with the hash.

See: How can bcrypt have built-in salts?

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow