Question 30944 in Wordpress Question posted in
The official Wordpress documentation can be found here.

How to test HashPassword in WordPress?

I want to test (unit testing) HashPassword($password) method from WordPress.

How I can check that HashPassword("123123") will return the correct hash for it?

For example, I want to do something like:

$hashFor123123 = "$P$P)230230832482349823";

$result = HashPassword("123123");

$this->assertSame($hashFor123123, $result);

But, HashPassword method each time returns a new string with hash. That is why I cant do assert.

How to test it?

Tags:

2

Answers


  1. 0

    The reason that the result is different every time you call HashPassword is because your password is prefixed by a random salt before it’s hashed.

    To compare a plaintext password against a known hash, you have to call CheckPassword.

    Login or Signup to reply.
  2. 0

    Password hashing uses a random salt, so each time you hash the same password you’ll get a different value back. The theory is explained here, even though WordPress doesn’t use the php password hashing functions, but rather their own. You cannot compare hashes; you can only check whether a given unhashed password matches a hash.

    The random salt defeats cybercreeps’ use of rainbow lookup tables to recover passwords given their hashes. This helps keep your users’ passwords secret even if a cybercreep manages to steal your wp_users table. Defense in depth, it’s called.

    In WordPress, you can hash a password and then check it using wp_hash_password() and wp_check_password(), something like this.

    $hash = wp_hash_password( '123123' );
if ( wp_check_password( '123123', $hash )) {
  /* it worked */
} else {
  /* it did not work */
}

    It’s not clear why it is worth your time to unit-test this subsystem. It is used in production many billions of times every day around the world.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search