Wow! good luck with that. This is an issue that shouldn't happen to anybody but could possibly happen to anyone not being careful. I, also, would like to know if there is a way to, and "How do you recover the salt for passwords" if it becomes corrupt or destroyed.

The only way of getting it back that I'm aware of, is to get it from a site backup... Killed a site once accidentally removing it and about the time I finished moving everything to a new site, I realized how easy it was to get it back. ALWAYS have backups running! I've also now started keeping a log of all my site salts on my desktop just in case :)

Good response. I was thinking of keeping it in the db but perhaps this info should not be saved on the server at all but as you say, on your desktop.

As others have mentioned, there is no easy way aside from brute forcing to get your salt back. To brute force you would essentially have to send some users password you know, with a guessed salt, and compare it to the database value. Even then, if you find a match there is still a small chance that your salt+password combination you found a match against was what is known as a collision, which would mean that it would work for that username / password, but possibly not for others.


Now, all of that said, if you are just worried about the admin user, you could create a NEW salt, and then use Mlky's lockpick tool to reset it via a script. However, if you have other users this would mean resetting all of their passwords too.

https://github.com/mkly/concrete5-Lockpick...