You define the algorithm as part of the salt string. For example, starting at $2a$ you get the Blowfish cipher. If the machine does not support the algorithm that you are trying to use, you will not get a meaningful result. You can try to figure out in advance which algorithms are supported by checking some predefined constants, such as CRYPT_BLOWFISH , although I noticed that the constants CRYPT_SHA256 and CRYPT_SHA512 not always defined, at least in PHP 5.2. Starting with PHP 5.3, PHP has its own implementation of the algorithms , therefore, it does not matter that the system has compilation time in PHP, as it does in PHP 5.2 and earlier. The Suhosin patch for PHP 5.2 supposedly adds at least Blowfish, but its implementation does not seem to be compatible with the one used in PHP 5.3.
The PHP docs for the crypt() function provide some information on how to use the salt string to indicate which algorithm to use:
- CRYPT_STD_DES - a standard DES-based hash with a two-character salt from the alphabet "./0-9A-Za-z". Using invalid characters in salt will cause crypt () to fail.
- CRYPT_EXT_DES - An extended DES-based hash. "Salt" is a 9-character string consisting of an underscore followed by 4 bytes of iteration and 4 bytes of salt. These are encoded as printed characters, 6 bits per character, least significant character. Values ββfrom 0 to 63 are encoded as "./0-9A-Za-z". Using invalid characters in the salt will cause crypt () to fail.
- CRYPT_MD5 - MD5 hash with twelve-character salt starting at $ 1 $
- CRYPT_BLOWFISH - Blowfish bread with salt as follows: "$ 2a $", two-digit value parameter, "$" and 22 digits from the alphabet "./0-9A-Za-z". Using characters outside this range in salt will call crypt () to return a string of zero length. The two-digit cost parameter is the logarithm of the base-2 iteration for the basic Blowfish-based hash algorithm and should be in the range 04-31, values ββoutside this range will cause crypt () to fail.
- CRYPT_SHA256 - A SHA-256 hash with a 16-digit salt prefixed with $ 5 $. If the salt shaker starts with "rounds = $", a numerical value of N is used to indicate how many times the hash cycle should be executed, as well as the cost parameter on Blowfish. By default, the number of rounds is 5000, minimum 1000 and maximum 999999999. Any choice of N outside this range will be truncated to the nearest limit.
- CRYPT_SHA512 - A SHA-512 hash with sixteen characters prefixed with $ 6 $. If the salt string starts with 'rounds = $', a numerical value of N is used to indicate how much since the hash cycle should be performed, as well as the cost parameter on Blowfish. The default number of rounds is 5000, minimum 1000 and maximum 999 999 999. Any choice of N outside this range will be truncated to the nearest limit.
So, to indicate that you want the string "password" hashed using Blowfish with iterations of 2 ^ 10, you can use
crypt('password', '$2a$10$XA86t7EJ0xD9OYEUbnTulT');
where the line starting with XA86 is the salt.
Finally, if you want more examples or just want something to take care of this whole thing to ensure password compatibility, check out phpass . This is a public domain and works great in my experience. It will automatically use the "best" algorithm in the system if you do not specify that you want a hash that is compatible with several systems, in which case (I think) it uses MD5.