> Say you have:
> define('MY_HASHING_SECRET', 'hhtrg54~%$%4....long'); $password =
> '1234';
>
> password_hash_rfc($password . MY_HASHING_SECRET,
> PASSWORD_METHOD_BCRYPT); password_hash($password, MY_HASHING_SECRET);
>
> Note here that in both cases we let crypt() generate a random salt that
> is different for every password and store in the password.
>
> But our 'secret' that is appended to every password is not stored in a
> database for example, it's in some ways similar to a private key.
>
> -- password_make_salt()
>
Another comment about this, the 'secret' in this case in somewhat similar
the 'purpose' of the salt:
http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
S = purpose || rv
P = password
What I'm proposing is:
S = rv (random value from crypt)
P = password || purpose
In the end, it's the same thing we're feeding into the hash (more data/bits)
Whatever api is used, I think it's important to allow appending this purpose
or secret that's not stored directly in the final crypt() hash.