Salted and hashed passwords

Hi there.

Is there a reason why kirby is not working with salted passwords? Or did I miss this in the code? I like the way wordpress is working with salts, is there a possibility to implement something like this in kirby?

Thanks in advance for your answers!


IIRC Kirby salts and hashes passwords using the blowfish cipher when creating and updating users with the Password class in the toolkit. The salt is randomly generated.

I’m not really sure if this answers your question.

1 Like
public static function hash($plaintext) {
    $salt = substr(str_replace('+', '.', base64_encode(sha1(str::random(), true))), 0, 22);
    return crypt($plaintext, '$2a$10$' . $salt);
1 Like

Ok, thanks for copying the function. Indeed I missed this one in the code.

So, for my understanding:

$plaintext is the input of the plain password and gets combined with the salt and both gets hashed by the natural php function crypt (

This function will be fired when a new user is created or gets updated.


Exactly :slight_smile: (and some more characters)

Ok, so now here comes my stupid question:

For the login process the system needs to build the same crypted code again from the plain input to compare the stored key with the login created key. I’m a little bit confused how the login can compare a randomized key?

If you hash a password both when it is first created and then again if it is entered for login purposes, the result will always be the same (this is called “deterministic”).

1 Like

Alright, thanks for your answers! (and patience :slight_smile:)

1 Like