The reason you may see a new hash each time your run password_hash
this way is because it will automatically generate a new random salt, which will result in a different hash even if the input password is the same.
While, as of PHP 7 the salt option is deprecated, it is definitely not removed from password_hash
. Though, you should note that the reason it is deprecated is because it is planned for removal (probably in the next minor release of PHP). The reason it is planned for removal is because it discourages people from using inferior means of generating their salt. Since the function can generate good random salts for you automatically there's really very little reason to want to provide your own.
In any case, password_hash
is just a thin wrapper over crypt
, which exposes more of the primitives of the underlying API. So if you wanted to provide your own salt through crypt
you still could. Though I highly discourage it when PHP can just do it for you with password_hash
and in a manner which is not likely to result in error.