How does password_hash really work?

Question

I am trying to understand password_hash fully in order to be able to explain it for an auditor.

Based on my searching for an answer, I understand that the passwor

Answer 1

I find this article incredibly useful to understand how to correctly hash passwords. It explains how hashes can be cracked with various techniques if the hashes are weak, and how to hash passwords correctly to provide sufficient security.

If I supply a higher cost (say 12), will it still generate a random salt since I am not supplying a salt value

Yes it will - as the documentation says if salt is omitted, a random salt will be generated by password_hash() for each password hashed (this means if you omit the salt value from your options array, it will be generated by password_hash() function defaultly). Moreover, the salt option has been deprecated since php 7.0.

why increases to the cost value increase security?

This is also explained in the above article in section Making Password Cracking Harder: Slow Hash Functions. The higher the cost is set to, the slower is the hash function. The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile. The cost should be however set to reasonable value (based on the specs of your server), so that it doesn't cause significant time delays when verifying users' passwords.

More, is CRYPT_SHA512 stronger that CRYPT_BLOWFISH for hashing?

Read this post about their comparison.