Authentication Unique Keys and Salts, how do they work and whats their purpose?


#1

What are these and how do they work in the Wordpress installation. I understand once these are generated they should be pasted into the wp-config.php file in my WP installation located on the web server. But I don’t understand the mechanics of what function they perform. Is there some kind of handshaking going on and between what?

I’m a newbie at all of this so have an el cheapo shared hosting package from DH which suits me fine until I learn the ropes. From a little bit of exploring I can see a listing for ‘/’ where I have no privileges as I’m not root. When I try to list what’s in ‘/home’ I’m told permission denied. When I drill down to my actual home directory I can see I finally have permissions and can see my domain directory which contains the WP installation. So I take it anything above my actual home directory is off limits and belongs to the DH admins.

Thanks for any guidance :slight_smile:


#2

The short answer is that “Authentication Unique Keys and Salts” are part of password and cookie security. A full answer is beyond the scope of this forum. For more information, start here, at the end of that codex section there are additional links.

“shared” doesn’t mean you can be noisy. You can’t see the contents of /home for security and privacy of the other users on the shared server. However not everything on the servers file tree is off limits.


#3

Thank you for your reply but I’m really none the wiser.

I am a newbie and the links you supplied assume too much. I want a link to a guide or tutorial on what Authentication keys and salts are i.e. the basics. How they work, where they are stored and how they serve us and as a practical example how its making WP secure for me.

If I find a helpful resource I will post it.


#4

You need to study basic encryption first. Once you understand how that works then you can apply it to Wordpress.

Your asking about a topic that could be the subject of an entire semester college course. Also if math isn’t your best subject you may never entirely understand how they work.
[hr]
Actually there is a book in the “for dummies” series that might tell you what you want to learn.


#5

I don’t think you understand, I don’t care about the theory of encryption.

What reads the keys stored in the wp_config.php?
What are these key making secure?
How are these key validating users?
How do these key block hackers?
How come a hacker can’t just view wp_config.php?
Are these keys stored anywhere else?

You say [quote]The short answer is that “Authentication Unique Keys and Salts” are part of password and cookie security.[/quote]
Imagine you need to explain this to a layman starting to use WP.

All I keep hearing is it makes my site secure but nobody is offering an explanation I get the feeling very few people actually understand how these things work and those that do can be bothered to explain it.


#6

If you’re worried about security (and we all should be) have you read this?:

http://codex.wordpress.org/Hardening_WordPress

Lot’s of good information there about WordPress security.

If you need a simple explanation for something that is really complex, these links may help:

https://wordpress.org/support/topic/new-to-this-and-trying-to-do-a-upgradeauthentication-unique-keys-and-salts?replies=8#post-1933927

Long story short: they improve the encryption of the cookies that WordPress sets. (WordPress doesn’t do use PHP sessions to keep track of things; it uses cookies.) Should you use them? Yup! Do most WP users use them? Probably not.