What is the difference between using password_default and password_bcrypt?

There is no difference right now.

The difference is that PASSWORD_DEFAULT is set to change when new algorithms are added, however at this time ( now latest version is PHP 7.1 for reference ) PHP only supports BCrypt.

In the PHP 7.2 is to come Argon2 , if this is actually done there may be options, for example: / p>

PASSWORD_BCRYPT 
PASSWORD_ARGON2I

This way PASSWORD_DEFAULT can change in PHP 7.3 from PASSWORD_BCRYPT to PASSWORD_ARGON2I , this is the purpose of it, so it is advised that it can change according to the time.

But at this time there is no difference between PASSWORD DEFAULT and PASSWORD_BCRYPT .

PASSWORD_DEFAULT update policies

• Any new algorithm should be available for at least one full PHP version (full release) to become PASSWORD_DEFAULT . If SCrypt is added in PHP 5.5.5, it can not be DEFAULT until PHP 5.7, because PHP 5.6 is the only "full release". If JCrypt is added in PHP 5.6.0 it can become standard in PHP 5.7.

• The PASSWORD_DEFAULT can only be changed in a "full version" (full release, 5.5, 5.6, 7.0 ...) and can not be modified in revision versions (5.5.1, 5.6.1. ..) unless it is an emergency, such as in the case of a serious security vulnerability found in the DEFAULT used.

As described in the manual, it is recommended to use PASSWORD_DEFAULT .

The description informs that currently PASSWORD_DEFAULT uses PASSWORD_BCRYPT , which would be the strongest algorithm available in PHP for creating password hashes.

In turn, PASSWORD_BCRYPT uses CRYPT_BLOWFISH . That is, as described:

  

This will produce a standard crypt () compatible hash using the "$ 2y $" identifier.

It is important to note that, password_hash() is nothing more than a wrapper of crypt() with a salt automatic generator, a limited and compatible number of hash's for password, or as described in crypt ():

  

password_hash () is a simple crypt () wrapper and compatible with existing password hashes

The difference between using password_hash() and only crypt() is for the salt's that are automatically created by the password_hash() function. As described in the following excerpts:

  

password_hash () uses a strong hash, generates strong salt, and applies proper rounds automatically.

E:

  

salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

In case of crypt() , if salt is not informed, it will not use salt and will create a "weak hash", which can be broken more easily that one with a salt :

  

The salt parameter is optional. However, crypt () creates a weak hash without the salt. PHP 5.6 or later raise an E_NOTICE error without it. Make sure to specify a strong enough salt for better security.

Since the description in PASSWORD_DEFAULT , is that in some future (next or not) a stronger algorithm than CRYPT_BLOWFISH can be created and it becomes the default for the new passwords , making CRYPT_BLOWFISH obsolete. Therefore, it is recommended that the password fields be at least 255. Currently, PASSWORD_BCRYPT will generate a hash of 60 characters, and in the meantime, a new one may be larger.