The prefix “$2a$” or “$2b$” (or “$2y$”) in a hash string in a shadow password file indicates that hash string is a bcrypt hash in modular crypt format. The rest of the hash string includes the cost parameter, a 128-bit salt (base-64 encoded as 22 characters), and B184 bits of the resulting hash value (base-64 encoded as 31 characters). The cost
parameter specifies a key expansion iteration count as a power of two, which is an input to the crypt algorithm.
For example, the shadow password record ：
specifies a cost parameter of 10, indicating 210 key expansion rounds. The salt is
N9qo8uLOickgx2ZMRZoMye and the resulting hash is
IjZAgcfl7p92ldGxad68LJZdL17lhWy. Per standard practice, the user’s password itself is not stored.
Bcrypt vs Hash+salt
Both Bcrypt and hash+salt could prevent rainbow-table attack(which made the MD5 very vulnerable). In the Hash world, SHA(4 flavors) is better than MD5 in that it almost does not have collisions(collision is one of import reason MD5 is not secure since it is quite easy to generate collision in MD5).
Speed wise, bcrypt is ms level which is kind of slow if you have a lot of user login concurrently. hash+salt will be much faster though less secure.