I decided to drop md5() as the password-encrypting algorithm when storing user passwords in DB, in favor of phpass library.
On the systems using md5, it was no problem to have a Production/Development dyad, as the resulting hash was the same. So, in case I created a test user in either one of them, the same password worked in the other environment.
From what I gather, this is not the same for other types of hashing algorithms, as phpass (or its internal php functions) creates platform-dependent hashes (I'm a hashing/encryption novice).
My question is, how should one approach this situation? Different database in prod/dev? But what if "upstairs" decided that we should move our web application (along with its DB) to another server - wouldn't the hashed passwords be now invalid - as phpass would create different hashes for the same (old) passwords?
Well, I didn't bother to check a dev hash to a production one. Even though they're different, their comparison results in "true", as in "they're quivalent". I thought, if hashes are different, they don't match (like md5).
A very simple solution to your problem: Always use the latest stable version of PHP. As of 5.3 PHP provides native implementations of crypt algorithms and thus isn't platform dependent anymore. Your hashes should thus be compatible.