Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610