Removed password salt a problem?

Permalink 1 user found helpful
Hi.
As far as I understand the password salt in config/site.php is used when I create a new user to hash the password. Right?

I don't know why but I removed the password salt line from site.php. How can I get it back? If I just use another password salt (maybe from a clean install) will my current admin login and the other users still work? How can I recover the original password salt? Thanks!

malthoff
 
ThomasJ replied on at Permalink Reply
ThomasJ
Wow! good luck with that. This is an issue that shouldn't happen to anybody but could possibly happen to anyone not being careful. I, also, would like to know if there is a way to, and "How do you recover the salt for passwords" if it becomes corrupt or destroyed.
enlil replied on at Permalink Reply
enlil
The only way of getting it back that I'm aware of, is to get it from a site backup... Killed a site once accidentally removing it and about the time I finished moving everything to a new site, I realized how easy it was to get it back. ALWAYS have backups running! I've also now started keeping a log of all my site salts on my desktop just in case :)
ThomasJ replied on at Permalink Reply
ThomasJ
Good response. I was thinking of keeping it in the db but perhaps this info should not be saved on the server at all but as you say, on your desktop.
exchangecore replied on at Permalink Reply
exchangecore
As others have mentioned, there is no easy way aside from brute forcing to get your salt back. To brute force you would essentially have to send some users password you know, with a guessed salt, and compare it to the database value. Even then, if you find a match there is still a small chance that your salt+password combination you found a match against was what is known as a collision, which would mean that it would work for that username / password, but possibly not for others.


Now, all of that said, if you are just worried about the admin user, you could create a NEW salt, and then use Mlky's lockpick tool to reset it via a script. However, if you have other users this would mean resetting all of their passwords too.

https://github.com/mkly/concrete5-Lockpick...