How does the “authentication unique keys and salts” feature work?

  1. Basically, they’re hashing salts. They’re used to make the results of hashing much less predictable. See https://en.wikipedia.org/wiki/Salt_(cryptography) for info on salts.

  2. AUTH is used for the /wp-admin authentication cookie, SECURE_AUTH is for the same when using SSL, LOGGED_IN is used for identification to the “front-end” of the site. NONCE is used for the nonces that WordPress generates to guard against CSRF attacks.

  3. The KEY and SALT for each scheme are combined to make the actual salt used. The wp_salt function checks for duplicated strings here to ensure that they are not the same, and to generate random strings if they are.

  4. WordPress preferentially uses the values in the wp-config.php file. If they are not available or are duplicates of one another, random data is generated and stored in the database. But the values defined in the wp-config.php take precedence.

  5. When you login, the password is validated. After that, the cookies are generated. These cookies contain various bits of information that will authenticate you to the site for future visits. The value in the cookie changes based on many factors, including the expiration time, your user name, your password, etc. Basically, the cookie is a username and password all in one. This data is hashed using the auth keys and salts. On future visits, the cookie is sent with the request, and WordPress validates the information it contains. This proves that you are you and so you’re logged in. The value in the cookie is secure because it cannot be generated without knowing the various salts as well as all the other pieces of information.

  6. Their size is really irrelevant. They should be long and random. There is no limit, but there is a point of diminishing returns. Longer is better but takes more time to hash. After around 120 characters or so, it’s kind of overkill.

  7. Yes. You can use any data you like. It does not matter what it is, as long as it’s really random. Any binary string will do. Line noise.

Related Posts:

  1. Auth cookie value security risk?
  2. Is moving wp-config outside the web root really beneficial?
  3. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  4. What is the purpose of having a token in cookies?
  5. How to secure or disable the RSS feeds?
  6. Generate WordPress salt
  7. Do Cookies Need to be Sanatized Before Being Saved?
  8. Garbage in beginning of wp-config.php – was this WP installation compromised?
  9. Security error WP 4.0 + WP phpBB Bridge [closed]
  10. How do I authenticate WP users from a chrome extension?
  11. Best Way to Enable Two Step Authentication
  12. Restricting access to content
  13. Single sign-on: wp_authenticate_user vs wp_authenticate
  14. Securing wp-config leads to sensitive information leak on wp-settings
  15. Is there any point setting the keys and salts in wp-config.php?
  16. What’s the point of forbidding access to wp-config.php?
  17. Where to store OAuth 2.0 client id and secret?
  18. Config file with no Keys..?
  19. White screen of death on admin pages after moving wp-config up two levels for security
  20. Session Cookie security questions
  21. Storing FTP details in wp-config.php
  22. My Site keeps crashing due to the wp-confg file being deleted
  23. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  24. How to change location of wp-config.php to folder or 2 folders up?
  25. Adding Security Keys?
  26. Remove hacked code – out of ideas! [closed]
  27. Secret keys in SCM
  28. Uploading attachment (pdf) and prevent download for anonymous user
  29. wp-config.php moved above root results in no plugin updates
  30. wp-config.php file and code injection
  31. Malware/Permission bug removal?
  32. Default installation permissions for wp-config.php
  33. Move data from wp-config to another file
  34. Why is SSH password authentication a security risk?
  35. Authentication versus Authorization
  36. What’s the best approach for generating a new API key?
  37. Simplest two-way encryption using PHP
  38. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  39. how fix “this certificate cannot be verified up to a trusted certification authority”
  40. How can bcrypt have built-in salts?
  41. Getting a List of Currently Available Roles on a WordPress Site?
  42. How safe / sanitized is wp_insert_posts()?
  43. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  44. Why are passwords exportable as plain text in WordPress?
  45. Is there a way to force ssl on certain pages
  46. How is password strength calculated?
  47. Regular security checks – what steps should be included?
  48. What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
  49. Disable external access to REST API Endpoint
  50. What is the wp-includes/certificates/ca-bundle.crt used for?
  51. Do you need to escape hard coded plain text?
  52. Encrypt emails?
  53. WordPress salts set in config and database
  54. Disallow file edit not preventing plugin install
  55. How to secure WordPress XMLRPC?
  56. How can I find security hole in my wordpress site?
  57. Does WP show me if I’m logged in from multiple locations?
  58. WordPress Malware Problem help! [duplicate]
  59. Restrictive File Permissions
  60. Why are xmlrpc.php and wp-cron.php being called so often?
  61. Using esc_html with HTML purifier and CSSTidy: Overkill?
  62. wordfence scan warning on W3 Total Cache [closed]
  63. wp-config.php modified?
  64. Suspicious Files
  65. wp-json and what data does it give away?
  66. Is is necessary to use security plugin for wordpress? [closed]
  67. neccessary?
  68. How to delete Passwrd Protected posts cookies when a user logged out from the site
  69. Local file inclusion critical security issue [closed]
  70. my wordpress website is suspended [closed]
  71. After logout browser’s back button into twenty sixteen theme profile
  72. iTheme Security always lockout my account [closed]
  73. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  74. WordPress Front end Form – Enable to Submit PHP Codes
  75. Is it safe use wp_editor in public contact form
  76. Is WordPress MultiSite secure & how much can it scale? [closed]
  77. How safe is current_user_can()?
  78. Is it safe to give wordpress directories ownership to www-data?
  79. Do we need to escape data that we receive from theme options?
  80. Why does WordPress change a file’s permissions?
  81. Auto log in hook is requiring a page refresh
  82. Side effects of disallowing *.php requests in production environment?
  83. Outgoing new connection to linked Websites – why?
  84. Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
  85. Replace domain in database
  86. What highest security brake with wordpress and static files?
  87. Spam in WordPress root folder
  88. Multiple issues with Ajax login function due to browsers and cookies
  89. Use WP cookie to authentificate user on an external app
  90. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  91. how to add security questions on wp-registration page and validate it
  92. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  93. Why are the latest visits to my website originating from my own website?
  94. Cookie is not set
  95. How do I hide WordPress users from security scanning?
  96. Background Updates Not Happening
  97. FORCE_SSL_ADMIN affecting subdomains
  98. What is the best security $_POST method?
  99. How to resolve these findings from security audit
  100. SSH keypair generation: RSA or DSA?