Removed password salt a problem?

Permalink
Hi.
As far as I understand the password salt in config/site.php is used when I create a new user to hash the password. Right?

I don't know why but I removed the password salt line from site.php. How can I get it back? If I just use another password salt (maybe from a clean install) will my current admin login and the other users still work? How can I recover the original password salt? Thanks!

malthoff
View Replies:
enlil replied on at Permalink Reply
enlil
you'd need to try to recover a backup copy of the file. Without that salt, your site is useless :| Had the same issue a while back. Luckily I had just started working on the site and it wasn't much to just reinstall...
JohntheFish replied on at Permalink Reply
JohntheFish
config/site barely changes and never the salt, so you could recover the value from really old backups.
mesuva replied on at Permalink Reply
mesuva
You are right in saying it used to hash the password, but it's also used when testing whether a submitted password is correct.

Think of the salt as as a compulsory piece of everyone's password. Changing the salt means you are effectively changing everyone's password, without updating the hashes to match. (maybe not the best way to explain it, but I think of it that way).

So the bad news is that without the original salt, your current user passwords won't work. There's no other place in concrete5 where the salt is stored, so you'll need to find a backup of your site and get it from there.

The good news is that it doesn't change over time, it's created right at the initial install, so all you need is ANY backup of your site.php file since your installed concrete5.

Failing that, you'll need to just create a new salt (it's really just a big string of random characters) and reset your admin password. Then reset your user passwords.
vernb replied on at Permalink Reply
vernb
Hi

I have encountered a somewhat similar problem in that I have created a local install under XAMPP. Having got the site set up and working all bar content I transferred it to a online testing location only to find that everything worked but I couldn't log in!

I looked at the site/config.php file and there was NO password salt!

Next step was to go back to the local version and check the site/config.php file and it too did not have a password salt!

I checked that I could still log in as admin on the local site - I could.

I went back to the online copy and requested a password reset. I received the email and followed the link and set my new password to the same as the old password. It accepted this password and I could then log in.

BUT... there is still no password salt in the site/config.php file!

Does this mean my site is not secure?
How does the password work without the password salt?
Is there in fact a password salt... but it's hiding from me?

I am puzzled and confused!

Any suggestions?

Thanks
vernb replied on at Permalink Reply
vernb
Hi

I have encountered a somewhat similar problem in that I have created a local install under XAMPP. Having got the site set up and working all bar content I transferred it to a online testing location only to find that everything worked but I couldn't log in!

I looked at the site/config.php file and there was NO password salt!

Next step was to go back to the local version and check the site/config.php file and it too did not have a password salt!

I checked that I could still log in as admin on the local site - I could.

I went back to the online copy and requested a password reset. I received the email and followed the link and set my new password to the same as the old password. It accepted this password and I could then log in.

BUT... there is still no password salt in the site/config.php file!

Does this mean my site is not secure?
How does the password work without the password salt?
Is there in fact a password salt... but it's hiding from me?

I am puzzled and confused!

Any suggestions?

Thanks
jpcharrier replied on at Permalink Reply
jpcharrier
I have the same issue with a fresh install of concrete 5.6.3.1
After install (installs perfectly...) i checked the site php and it only had
<?php
define('DB_SERVER', 'XXXXXXX');
define('DB_USERNAME', 'XXXXXXX');
define('DB_PASSWORD', 'XXXXXXX');
define('DB_DATABASE', 'XXXXXXX');

with no mention of a password salt....

I did this 3 more times with fresh installs and all were the same...

Is this a bug?
enlil replied on at Permalink Reply
enlil
as of 5.6.3.1, there isn't a password salt on fresh install. If you update from a previous version it will still be retained in site.php
jpcharrier replied on at Permalink Reply
jpcharrier
Ok thanks for your quick response...

Is there any drawbacks to no password salt...? Like is it now redundant moving forward (sorry I hope this is isnt a silly question...)
enlil replied on at Permalink Reply
enlil
The password hashing changed and the salt is now only retained from updates for backward purposes. Not positive as to specifics and implications.