How WordPress hashes passwords

I’m the author of the linked article (thanks for the shout-out, by the way).

The WordPress function that does the hashing is wp_has_password() and, by default, it will run the password through 8 rounds whatever the “best” algorithm the server makes available to PHPass is. WordPress, again by default, uses MD5. However you can also configure things to use Blowfish or DES if you so desire.

For reference, take a look at:

Note the documentation of wp_hash_password itself states:

Creates a hash of a plain text password. Unless the global $wp_hasher is set, the default implementation uses PasswordHash, which adds salt to the password and hashes it with 8 passes of MD5. MD5 is used by default because it’s supported on all platforms. You can configure PasswordHash to use Blowfish or extended DES (if available) instead of MD5 with the $portable_hashes constructor argument or property (see examples).

If you’re still in PHP land, you can port the functionality directly to your new system and have a fair amount of parity with WordPress’ default implementation. You could also just build the new system in such a way that it uses WordPress as the authentication provider (similar to OpenID), then you won’t need to worry about it at all.

Related Posts:

  1. wp_hash_password create a different hash everytime
  2. Not able to log for the first time on a salted WordPress by creating pwd on BD
  3. How to change user password with wp-cli?
  4. Loosen/disable password policy
  5. Password Protect Custom Page
  6. Password protecting a page
  7. How to save Admin FTP password
  8. How can I change the default wordpress password hashing system to something custom?
  9. If I change the salt keys in my wp-config will all passwords break?
  10. Conditional to test if post has password protection enabled
  11. How to add Wp_error using lostpassword_post hook when validating custom field?
  12. Duplicate hash method for password in .NET
  13. Hide password protected posts
  14. Access code/password only restricts page access, no user registration..?
  15. PasswordHash not found in namespace
  16. Force all users in MU to change their passwords
  17. Reseting admin password through PHPMyadmin fails
  18. Check Password Reset Key Not Woking
  19. Reset password – set minimum length for new password
  20. How to shorten length of auto generated password sent during registration?
  21. wp_hash_password unexpected behaviour
  22. Redirect a password protected page?
  23. Lost password link is redirecting to /shop/my-account/lost-password/
  24. Change default recovery link expiration time
  25. Set content type to HTML for lost password email only
  26. Password protecting template, secured content not showing if even password is right
  27. Make post password required to publish
  28. WordPress reset password returns invalid key
  29. Add error message on password protected pages
  30. User password field is empty
  31. How to set minimum length and error message for password recovery?
  32. Why is resetting the WordPress Users password not working?
  33. Get plain password on register
  34. post_password_required() not recognizing cookie set with correct password
  35. How Authentication in wordpress works? wp_authenticate_username_password()
  36. Password protect the site (without htaccess or membership)
  37. Password Protected page not asking for a password
  38. I would like to password protect my entire WordPress site (ip validated), except for one page
  39. Custom login form for front-end user as well as admin
  40. how to remotely check a username / password from within a plugin
  41. Password changed [duplicate]
  42. How to get user password before being encrypted outside the wordpress core once add a new user from dashboard?
  43. How to change password
  44. Password protect pages – allow more than one password
  45. password recovery key is invalid on custom reset
  46. Like to store multiple passwords in db table wp_posts field post_password?
  47. Password Protected Post is invisible until you login
  48. Protect Passwords in wp_users with stronger protection than MD5
  49. How secure is a wp-config file?
  50. How to check user’s password?
  51. How to Remove or Deactivate “Application Passwords” in WordPress
  52. What’s the algorithm to verify user password?
  53. How to change “Reset Password” text on submit button
  54. Customize retrieve password message
  55. resend user login & password with custom button
  56. WordPress admin creation through phpmyadmin not working
  57. How to show my wordpress admin username & password?
  58. Why does hashing a password result in different hashes, each time?
  59. How to initiate password reset flow by code
  60. Change password fields
  61. How to read third party cookie to access password protected pages
  62. Ask logged in user to re-enter password to access page “x”
  63. Password protected sites
  64. How would I create a Password Protected Page with Content on it?
  65. Site only for users authenticated by different PHP application
  66. wordpress custom password change problem
  67. Allow all reset password links within the past 24 hours to be valid and accepted
  68. WooCommerce Lost Password reset goes to 404
  69. How to store API authentication password?
  70. Set id and password for each post
  71. I have to reset the admin password each time
  72. I need help with wp_lostpassword, wp_register and wp_login_form
  73. Create Member who can’t be changed
  74. Automatically change the page password for more than one page
  75. Sending Reset Password email via Web API
  76. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  77. Frontend custom forgot password page
  78. Entering a WP site with a SMS code
  79. Problem with login / reset password links in users emails
  80. Password Protect content() on homepage
  81. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  82. How to set password from frontend if have activation key and user login in url in wordpress?
  83. Allow users from my ASP.Net MVC site to access my private WordPress site
  84. Lost Password redirect to My Account
  85. Multiple pages protected by different passwords. Possible to track multiple passwords at a time?
  86. WordPress Protected Page Redirects to PDF
  87. Bypass a WordPress Password Protected Post or Page via a URL
  88. Password Protected Logout Button Not Working
  89. Can I use core passworded page/post functions outside of wp-login.php?
  90. How do I password protect a page of posts on WordPress?
  91. forgot password
  92. WordPress not taking password and username
  93. mysql update user’s password and activation key
  94. Reset Password – change from name and email address. It stucks at admin. Want to change it to info
  95. check if post is set to “password protected”
  96. Override the default password length when creating or updating a user profile
  97. Why can’t I create an Application Password?
  98. FTP Password (not private key-value pair) for EC2 Instance
  99. How to Disable Pre-population of Password on Password Reset
  100. My WordPress password for admin account is changing automatically