admin管理员组

文章数量:1193934

if I hash the same plain-text multiple times, it returns different hash strings:

$x = 'asdf';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';


$P$BESNH8tVe6xfVbgXhBI2KNU.2lnyOu.
$P$BlTkcLh3PSGzXtPhofPH9ZGqisxYI0.
$P$BRyTisUAXVEhXNyTQFjOErxIgzE6GN1
$P$BI17Hnqifi2CHQsPi5z/nVbEInNjl21

So, how does wp check the password that the user enters? If it's going to hash the plaintext and check that against the stored hash, it seems the two will never match.

if I hash the same plain-text multiple times, it returns different hash strings:

$x = 'asdf';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';
echo wp_hash_password( $x ).'<BR>';


$P$BESNH8tVe6xfVbgXhBI2KNU.2lnyOu.
$P$BlTkcLh3PSGzXtPhofPH9ZGqisxYI0.
$P$BRyTisUAXVEhXNyTQFjOErxIgzE6GN1
$P$BI17Hnqifi2CHQsPi5z/nVbEInNjl21

So, how does wp check the password that the user enters? If it's going to hash the plaintext and check that against the stored hash, it seems the two will never match.

  • password
  • authentication
Share Improve this question asked Jul 20, 2022 at 18:22 Doug CassidyDoug Cassidy 5787 silver badges17 bronze badges 1
  • 2 Try e.g. var_dump( wp_check_password( $x, wp_hash_password( $x ) ) ); to see if it isn't always true. – birgire Commented Jul 20, 2022 at 19:28
Add a comment  | 

1 Answer 1

Reset to default 16

By default, each time a new hash is generated (e.g. wp_hash_password()) WordPress salts it with random bytes, producing a unique hash for each call. The string returned from wp_hash_password() consists of four parts concatenated in order - the hashing algorithm ID, the exponent of hash iterations, the randomly generated salt, and finally the salted and hashed password.

For example, given the default hashing configuration, in the string $P$BI17Hnqifi2CHQsPi5z/nVbEInNjl21:

  • $P$ is the algorithm identifier
  • B indicates the number of hashing iterations
  • I17Hnqif is the random salt
  • i2CHQsPi5z/nVbEInNjl21 is the salted and hashed password

When checking a plaintext password against the hash of a stored user password, instead of simply querying the database for a matching user/password hash, WordPress retrieves the stored hash for the user and passes it into wp_check_password() alongside the plaintext password. The checking algorithm extracts the salt and iteration count from the stored hash, and uses them to generate a hash of the plaintext password before checking the two against one another.

This mechanism adds a layer of protection against rainbow table attacks as it makes precomputing/using a dictionary of hashes to passwords more expensive - instead of a single hash for a single input, in WordPress' case there are octillions of possible hashes for a single input.

A brief overview of the general technique can be found here. The source of the PasswordHash class can be scoured for the specifics as they relate to WordPress.

本文标签: authenticationWhy does hashing a password result in different hasheseach time

版权声明:本文标题:authentication - Why does hashing a password result in different hashes, each time? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1738493821a2089864.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。