Hi everyone. I need to learn blowfish scheme details. How can i create a blowfish password via php and how can i verify a user's password. thanks

Maybe look at the php functions password_hash (http://php.net/manual/en/function.password-hash.php) and password_verify (http://php.net/manual/en/function.password-verify.php)

BTW, I don't know much about vb5. If you are specifically asking about what vb5 does for password hashing then my answer probably doesn't make sense.

i know these functions, i am asking specially for vb5

hi again!
password_hash($pass, PASSWORD_BCRYPT, array('salt' => ''));
this is ok. i wonder what is the salt?

Again, I'm not sure if you're asking a question about vb5. But when using the password_hash function you can provide a random string as salt, but you don't have to. If you don't, a random string will be generated for you. The salt is returned as part of the hash, so you do not need to store the salt separately.

Also (as you may know already), those functions are only in php 5.5 or greater, but before that you could use crypt() to do the same thing (although then you *would* need to create your own random string for salt).

Salt can't be random. if it is random, diffrent passwords are created at every turn.

Of course it can. You need to store the salt with the encrypted password.

I'm not really an expert on password algorithms, but my understanding is that a salt value is randomly generated at some point (like whenever the password is changed), but of course you need to save the salt as well as the hashed password to be able to validate a password. So you're right, it isn't generated randomly every time you check a password. But as I mentioned above, the password_hash() function (and the crypt() function it's based on) return a string that includes the hash algorithm, the iteration count, and the salt (in addition to the hashed password), so you really only need to save the one string that is returned, and when you use password_verfiy() to check a password, that string will contain all the necessary information.

It might help to study the examples for password_hash() (http://php.net/manual/en/function.password-hash.php) and crypt() (http://php.net/manual/en/function.crypt.php) in the php manual.

Edit: cellarius posted while I was writing, didn't mean to repeat what he said.

Of course it can. You need to store the salt with the encrypted password.

you are right i wonder that:

the function is this
password_hash($password, $algo, array $options = array())
what is password? only the key which user writes or md5($password) or anything else?

And what is the array("salt" => ?). This not secret key. You know there is a secret in db. Salt cloumn is null. oh my god i will be crazy soon. :)