PHP manual for password_hash() (http://php.net/manual/en/function.password-hash.php) says:
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it.
My question is: why?
I read this in another SO answer: (Static Salt vs Random Salt - Security PHP)
Random salts have a tremendous benefit. If all accounts in the system use the same salt, an attacker can brute-force calculate hashes for that salt and break into all accounts with just one computational run.
I get that. However, password_hash() embeds the salt in the returned hash, which I believe makes it public, so the salt is known to the attacker for every password.
Wouldn't it be better to have a long private salt instead?
One thing I could think of is that hashes created with the same salt would be identical for identical passwords, and possibly allow an attacker to make progress through statistical analysis of the hashes in the database.
However, this could possibly be mitigated by using a dictionary of private hashes instead of just one, but this is no longer possible with password_hash() in PHP 7.
I'm not a security expert, and I believe that the PHP guys know what they're doing, so I would be happy to hear why password_hash() way is considered to be the right way to go.
