Hello. I personally think that using PASSWORD_DEFAULT for algorythm by default is a bad idea. This should be defined by user in the code. Even worse if it is defined by .ini setting - deploy to a remote server and realize that there is a different .ini default that messes up everything. Lessons learned in the past are forgetten fast?
And the thing I don't get is how do I verify a salted password? I have read throught the RFC and what I know about the salts makes me wonder - how da hell I will verify my salted hash if I can't pass the salt to password_verify? If there is some trick behind, it should be explained in the RFC (and in the docs later, because otherwise it makes people WTF?! who are not into cryptography). Arvids.
