Determine which prefix we should use about bcrypt HOT 3 CLOSED

An important consideration, I'm pretty sure I selected $2a$ to maximize compatibility, particularly with py-bcrypt since $2y$ was custom to the C lib. However now that $2b$ is a "standard" prefix too, py-bcrypt might either support it as well, or it might be sane to say we want to pick theoretical security over comparability.

from bcrypt.

I'm currently implementing bcrypt password usage in a project and wanted to drop my two cents after reading through jazzyb's changes. The hashes in my system are accessed both by Python and PHP. Where $2y$ is the indicator that it is using the patched $2a$, should not $2y$ be the default output, with $2b$ or $2a$ as an option? Since I'm talking about compaitibility and just re-read your first post, I guess keeping $2a$ as default and either $2b$ or $2y$ as the options. Right now, $2a$ and $2y$(default output) are supported by the 'stable' PHP 5.5 library, where $2b$ is not. If $2b$ is algorithmically the same as $2y$, would it be better to stay compatible? And later updating the default to $2b$ when it is better supported?

php > $pwd = 'hello world';
php > $hasha = '$2a$12$CPeaPhxqTrBzJXP1KB1C/.t.2TJ7EzHhyCCmiLKAEKZovzmvdMwge';
php > $hashb = '$2b$12$CPeaPhxqTrBzJXP1KB1C/.t.2TJ7EzHhyCCmiLKAEKZovzmvdMwge';
php > $hashy = '$2y$12$CPeaPhxqTrBzJXP1KB1C/.t.2TJ7EzHhyCCmiLKAEKZovzmvdMwge';
php > var_dump(password_verify($pwd, $hasha));
bool(true)
php > var_dump(password_verify($pwd, $hashb));
bool(false)
php > var_dump(password_verify($pwd, $hashy));
bool(true)

from bcrypt.

I'm adding a check in my code to handle this issue if $2b$ becomes the default, but had I not seen this post, I would have had a lot of very unhappy users.

from bcrypt.