1

So I have the following line of javascript code:

$.ajax({"type":"POST", "url":"php/hashslingingslasher.php", "data":{"hashme":"lolmypassroot"}, success: function(resp){console.log(resp);}, error:function(resp){console.log(resp);}});

And the contents of hashslingingslasher.php are as follows:

$options = array('cost' => 11);
echo password_hash($_REQUEST['hashme'], PASSWORD_BCRYPT, $options);

(For simplicity I took out all my isset() calls and error checks.)

It gives me multiple answers when I make this ajax call multiple times.

$2y$11$vXvo6BzpQiRyzVAh5DlZPenXPojY8wKCQa1mmMArnkSzpsSO8V.xG
$2y$11$jh25GXcpia1kjIjOlE44Fu4HqtayOvKJ/YqXpeG3qsD1wI3SYIqre
$2y$11$O3iZyflCoRsBoo3kXELlK.HZI9NYsPTT2PT3KV5VBiyknIVZdIOiC

Is this expected? I was under the impression that hashes had to be deterministic to be verifiable; I know that in some encryption schemes, a randomness element is used to encrypt, but the random value is also provided on decryption (or else it would be impossible to decrypt).

Can someone offer insight about what's going on here?

EDIT: I see that my question was marked as a duplicate. While the other accepted answer is helpful, it doesn't really explain too well how the random salt is passed. Obviously the salt has to be part of the hash, after the third $ - anyone know how the salt is found from it?

user3475234
  • 1,503
  • 3
  • 22
  • 40
  • 1
    Yep, pretty much a new hash each time. The verification process works with each however. – mario Aug 10 '15 at 12:29
  • 1
    See [password\_hash function in php 5.5](http://stackoverflow.com/a/25208035) on where the salt is embedded. The `$2y` is the crypt algorithm, `$11` the cost, and 22 letters thereafter the embedded salt. (See also [PHP password\_hash function salt length 21 or 22?](http://stackoverflow.com/q/26295266) and [Crypt for password hashing. Blowfish produces weird output](http://stackoverflow.com/a/16280909) for more details from the author.) – mario Aug 10 '15 at 12:43

0 Answers0