Why does hashing a password result in different hashes, each time?

By default, each time a new hash is generated (e.g. wp_hash_password()) WordPress salts it with random bytes, producing a unique hash for each call. The string returned from wp_hash_password() consists of four parts concatenated in order – the hashing algorithm ID, the exponent of hash iterations, the randomly generated salt, and finally the salted and hashed password.

For example, given the default hashing configuration, in the string $P$BI17Hnqifi2CHQsPi5z/nVbEInNjl21:

  • $P$ is the algorithm identifier
  • B indicates the number of hashing iterations
  • I17Hnqif is the random salt
  • i2CHQsPi5z/nVbEInNjl21 is the salted and hashed password

When checking a plaintext password against the hash of a stored user password, instead of simply querying the database for a matching user/password hash, WordPress retrieves the stored hash for the user and passes it into wp_check_password() alongside the plaintext password. The checking algorithm extracts the salt and iteration count from the stored hash, and uses them to generate a hash of the plaintext password before checking the two against one another.

This mechanism adds a layer of protection against rainbow table attacks as it makes precomputing/using a dictionary of hashes to passwords more expensive – instead of a single hash for a single input, in WordPress’ case there are octillions of possible hashes for a single input.

A brief overview of the general technique can be found here. The source of the PasswordHash class can be scoured for the specifics as they relate to WordPress.

Related Posts:

  1. How Authentication in wordpress works? wp_authenticate_username_password()
  2. wordpress redirect after password reset
  3. Loosen/disable password policy
  4. Password protecting a page
  5. How to save Admin FTP password
  6. If I change the salt keys in my wp-config will all passwords break?
  7. Bypass password protected posts via GET variable
  8. Why do generated passwords start/end with spaces?
  9. Duplicate hash method for password in .NET
  10. Hide password protected posts
  11. Safe to store SMTP password in wp-config.php?
  12. Access code/password only restricts page access, no user registration..?
  13. PasswordHash not found in namespace
  14. Force all users in MU to change their passwords
  15. How to shorten length of auto generated password sent during registration?
  16. Forgot password not working
  17. Password reset message – change the network_home_url( ‘/’ )
  18. Lost password link is redirecting to /shop/my-account/lost-password/
  19. WordPress: force users to change password on first login
  20. Can’t login to wordpress despite changing password to something known directly in MySQL or using “Password Reset by Email” feature
  21. Change default recovery link expiration time
  22. Lost password link redirects to my-account/lost-password/,how to fix it back to default lost password
  23. Password protect custom template
  24. Set content type to HTML for lost password email only
  25. Custom password generator for users
  26. Where is the reset password key stored/generated?
  27. How validate usernames/passwords against WP’s database?
  28. Make post password required to publish
  29. Add error message on password protected pages
  30. User password field is empty
  31. Password reset bug? – “Sorry, that key does not appear to be valid”
  32. Get plain password on register
  33. post_password_required() not recognizing cookie set with correct password
  34. Password protect the site (without htaccess or membership)
  35. Password Protected page not asking for a password
  36. How do I get WordPress login to ignore the password input if a particular username is used?
  37. Invalid key on activation and password reset
  38. I would like to password protect my entire WordPress site (ip validated), except for one page
  39. Password protection for page template
  40. how to remotely check a username / password from within a plugin
  41. Password changed [duplicate]
  42. Adding parameters to password reset key
  43. Custom password form allows unlock two posts with the same password
  44. How to change password
  45. OAuth 2 and saving the authenticated user
  46. password recovery key is invalid on custom reset
  47. Password Protected Post is invisible until you login
  48. Send password to user instead of reset password link
  49. Protect Passwords in wp_users with stronger protection than MD5
  50. How secure is a wp-config file?
  51. How to Remove or Deactivate “Application Passwords” in WordPress
  52. REST API: wp_get_current_user not working on second call
  53. How to change “Reset Password” text on submit button
  54. How to recover password from a user
  55. resend user login & password with custom button
  56. How to show my wordpress admin username & password?
  57. Can’t alter $lostpassword_url
  58. How to initiate password reset flow by code
  59. Where to store credentials used in a function? [duplicate]
  60. Change password fields
  61. How to read third party cookie to access password protected pages
  62. Ask logged in user to re-enter password to access page “x”
  63. Password protected sites
  64. 2 accounts under same email preventing me from loging in
  65. How would I create a Password Protected Page with Content on it?
  66. Site only for users authenticated by different PHP application
  67. wordpress custom password change problem
  68. Allow all reset password links within the past 24 hours to be valid and accepted
  69. WooCommerce Lost Password reset goes to 404
  70. I need help with wp_lostpassword, wp_register and wp_login_form
  71. Create Member who can’t be changed
  72. Sending Reset Password email via Web API
  73. I can’t recover my password
  74. $expiration_duration = apply_filters( ‘password_reset_expiration’, DAY_IN_SECONDS );
  75. Frontend custom forgot password page
  76. Entering a WP site with a SMS code
  77. Check for empty username or password on login
  78. Password Protect content() on homepage
  79. Function called by password_reset action passed only 1 argument instead of 2 in PHP 7.2.11
  80. How to set password from frontend if have activation key and user login in url in wordpress?
  81. Allow users from my ASP.Net MVC site to access my private WordPress site
  82. Multiple pages protected by different passwords. Possible to track multiple passwords at a time?
  83. WordPress Protected Page Redirects to PDF
  84. Not able to log for the first time on a salted WordPress by creating pwd on BD
  85. Bypass a WordPress Password Protected Post or Page via a URL
  86. Custom page password recovery
  87. Can I use core passworded page/post functions outside of wp-login.php?
  88. Is it possible to display newly generated password after wp_generate_password()?
  89. How do I password protect a page of posts on WordPress?
  90. forgot password
  91. mysql update user’s password and activation key
  92. Is it possible to have users register without having a password?
  93. Password Protection for posts and pages [duplicate]
  94. How WordPress hashes passwords
  95. WordPress reset password button not working
  96. Override the default password length when creating or updating a user profile
  97. Why can’t I create an Application Password?
  98. FTP Password (not private key-value pair) for EC2 Instance
  99. How to Disable Pre-population of Password on Password Reset
  100. My WordPress password for admin account is changing automatically