PHP password_hash(): Are password hashes portable between systems?

Question 1

Yes, it is correct. The documentation for password_verify states:

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

Of course it's also easy to see that this information is there by inspecting the output of password_hash and crypt (which is, to overgeneralize a bit, mostly the same thing).

Question 2

Yes, crypt() based hashes are portable; they can be transferred to any system and they can be used to successfully verify a given password, because it contains all necessary data to perform this verification.

Note that a high cost factor may cause lesser systems to take longer to verify a password, due to the higher number of iterations required.

Also take care of the storage requirements; if you're always going to use bcrypt it's safe to store password hashes in varchar(60) columns. Otherwise varchar(255) is recommended.

Question 3

The bcrypt algorythm includes it's own vector and/or salt and should be portable. Neither hash nor vecotor/salt include anything specific to a system.

This should also be applicable to any other algorythm that either doesnt use a vecotr (or other element in addition to the hash) or includes this hash in it's output.

Question 4

I don't know where you wanna save the hash, but if you save it to database, usw the database own encryption/hash functions complain it

example (with encryption)

INSERT INTO table (pass_hash,....) VALUES ( MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ") )
SELECT * FROM table WHERE pass_hash = MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ")