Why has the "salt" option of password_hash been discontinued in PHP 7?

Because salt must be unique for each password, setting a salt could cause it to set a salt constant.

For example:

password_hash('senha_legal', PASSWORD_DEFAULT, ['salt' => '1234567891234567891234']);

In this way all passwords would use 1234567891234567891234 , all passwords would exit as follows:

$2y$10$123456789123456789123u2l31KVtAAQPjgDEYorAjG5V8p9MWDx2
$2y$10$123456789123456789123uOlCRXcGHP2s7.4hwA7pLsVlmqL3pmLq
$2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S

The use of salt causes a common password to become uncommon, so if a user registers with the same password, using the same salt would result:

$2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S

No matter how many times you make a php -r "echo password_hash('senha_legal', PASSWORD_DEFAULT, ['salt' => '1234567891234567891234']);" the result will always be this, regardless of where, time or server.

An attacker will have the password of two users, because all users who use the senha_legal password will have the same result, in addition it may have the ability to generate multiple passwords using the same salt and so check if the passwords match directly.

Examples used:

123 => $2y$10$123456789123456789123u2l31KVtAAQPjgDEYorAjG5V8p9MWDx2
teste => $2y$10$123456789123456789123uOlCRXcGHP2s7.4hwA7pLsVlmqL3pmLq
senha_legal  => $2y$10$123456789123456789123uN0gdQ.iBssxH4MxYvSqqYkSgAKQuL9S

What makes passwords different is the salt applied to it, and how can you notice salt is present in the above code, by the constant of 123456789123456789123 , with $10 indicating its difficulty

Security issue, it is safer to use a random salt.

Now the function itself generates a random salt whenever it is called, before it was possible to prevent this by passing a less secure static salt.

Source: link