Why generate_password_hash() creates a different hash for the same password?

Question

from werkzeug.security import generate_password_hash

password_hash = generate_password_hash(password='qwerty', method='sha512')

print(password_hash)

I get a different hash every time I run it on pycharm. Here are some results:

sha512$C6Q28TMjmhzqiJ9I$4d59ead48cde4dc1b0dcc359e5479cede957cb49013602bd2028f3f3eeba55386e441d70866feb70e2eeb7ab1108aad9980241fb87275282a7181f22da329b44

sha512$Y48EzPVVB3OgFvTp$294f00b6129e870480661090b5f946f601020c601c90bb12ecb17c8b8fa9b214cf8afd4954f5d3c50b65f14aa21caf9e0f41aaa718f1a5d22d18da49a70b1f12

sha512$RN4rNnGhSV95T806$1dfa460209d297e682e610c4f33178125719cc3f6c670f4110b5be405e63ad312a09e0dff8800f3fc23afaff2d892f73e433d53be447a268aacaede2f8d2a461

Shouldn't it be this and be the same all the time?: sha512$0dd3e512642c97ca3f747f9a76e374fbda73f9292823c0313be9d78add7cdd8f72235af0c553dd26797e78e1854edee0ae002f8aba074b066dfce1af114e32f8

Answer 1

Good quality password hashing makes use of a salt:

In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. Salts are used to safeguard passwords in storage. Historically, only a cryptographic hash function of the password was stored on a system, but over time, additional safeguards were developed to protect against duplicate or common passwords being identifiable (as their hashes are identical). Salting is one such protection.

A new salt is randomly generated for each password. Typically, the salt and the password (or its version after key stretching) are concatenated and fed to a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows later authentication without keeping and therefore risking exposure of the plaintext password if the authentication data store is compromised. Note that due to this, salts don't need to be encrypted or stored separately from the hashed password itself, because even if an attacker has access to the database with the hash values and the salts, the correct use of said salts will hinder common attacks.