echo crypt('test', "$2a$07$"); produces a long hash in PHP version 5.4.16, but it produces the "failure string" *0 in 5.6.4.
Reading the PHP docs on crypt(), I'm still not quite clear why, though the Changelog mentions the *1 being returned instead of *0 depending on the circumstance. (http://php.net/manual/en/function.crypt.php)
What is the reasoning for *0 being returned in this case? Did PHP past 5.4 stop tolerating the bad salt of the form $2a$07$?
The Blowfish definition says that you have to define a string after the third $.
<?php
echo crypt('test', "$2a$07$mystring");
?>
Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z"
When you don't define that string you get an error *0.
5.6.5 When the failure string "*0" is given as the salt, "*1" will now be returned for consistency with other crypt implementations. Prior to this version, PHP 5.6 would incorrectly return a DES hash.