var $secret - can I change it at any time or white is black?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

var $secret - can I change it at any time or white is black?

Post by amoooc » Wed Apr 20, 2011 10:46 pm

Hi!

I was reading about var $secret but I'm still confused.

Can I change var $secret for random number in my website at any time when website have members already? It will cause any problems in the future?

Please answer YES or NO and why... please
Last edited by amoooc on Tue Apr 26, 2011 4:32 pm, edited 4 times in total.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15100
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: var $secret - secret word - can I change it multiple tim

Post by mandville » Wed Apr 20, 2011 10:52 pm

http://docs.joomla.org/Help15:Screen.config.15
Secret Word. This is generated when Joomla! is first installed and is not changeable. It is used internally by Joomla! for security purposes.

it is used to salt passwords etc
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - secret word - can I change it multiple tim

Post by amoooc » Wed Apr 20, 2011 10:54 pm

I was reading it already but there is no answer for my question. Can I change it multiple times at any time without breaking my website functionality and security?

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: var $secret - secret word - can I change it multiple tim

Post by jeffchannell » Fri Apr 22, 2011 11:36 pm

If you change it, all users (including your Super Administrator) will no longer be able to log in.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15100
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: var $secret - secret word - can I change it multiple tim

Post by mandville » Sat Apr 23, 2011 12:13 am

mandville wrote: This is generated when Joomla! is first installed and is not changeable. It is used internally by Joomla! for security purposes.
Jeff channell, me and the docs all say no, therefore you can change it
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - secret word - can I change it multiple tim

Post by amoooc » Sat Apr 23, 2011 10:42 am

jeffchannell wrote:If you change it, all users (including your Super Administrator) will no longer be able to log in.
I'm changed var $secret in configuration.php and all users, including Super Administrator still are able to log in. So do you know whats going on? I'm totally confused.
Regards

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - secret word - can I change it multiple tim

Post by amoooc » Sat Apr 23, 2011 11:03 am

So can someone just answer YES or NO... please. ;)

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: var $secret - can I change it at any time? PLEASE HELP

Post by jeffchannell » Sat Apr 23, 2011 6:18 pm

It's a "no", with a caveat: you CAN change it (nothing is preventing you!), but any hashed passwords stored in your database will be unusable.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: var $secret - can I change it at any time? PLEASE HELP

Post by antihack » Tue Apr 26, 2011 3:59 pm

I agree with him though. I change the var secret frequently and never have any issues. I dont understand how someone can still login if its meant to break it.

But now Im just curious lol

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - can I change it at any time? PLEASE HELP

Post by amoooc » Tue Apr 26, 2011 4:18 pm

Yes, it's strange. I was asking few "Joomla experts" from my city :-) and they said that if I'll change secret word I'll be not able to login anymore. BUT ITS NOT TRUE. I see that nobody know :-). :eek: It's really interesting! I'm curious as well. Maybe there is no answer. Maybe we ever don't need var $secret :-D Maybe we should vote! :DDD

So can I change var $secret at any time ?

If you want answer follow the white rabbit , than choose right pill :laugh:
Last edited by amoooc on Tue Apr 26, 2011 4:25 pm, edited 1 time in total.

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: var $secret - can I change it at any time? PLEASE HELP

Post by jeffchannell » Tue Apr 26, 2011 4:25 pm

It looks like I was wrong. ;)

The secret is used in the generation of hashes, but once the password is saved it is no longer tied to the secret - the salt is already in the DB.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - can I change it at any time? White is blac

Post by amoooc » Tue Apr 26, 2011 4:30 pm

So I'm assuming that if my "secret word" was exposed to public for some reason, all users accounts and passwords are not secure anymore and there is nothing I can do. I'm right?

antihack
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 163
Joined: Sat Mar 15, 2008 9:45 pm
Contact:

Re: var $secret - can I change it at any time? White is blac

Post by antihack » Tue Apr 26, 2011 4:31 pm

in theory. If the secret is exposed, changing the secret and reset all passwords put you back in the saddle. Meaning you secure once again.

amoooc
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Jul 08, 2010 8:17 pm

Re: var $secret - can I change it at any time or white is bl

Post by amoooc » Tue Apr 26, 2011 4:43 pm

I'm not sure that you agree...
but
If I'm right, somebody who expose var secret to public (probably only I'm so stupid to do that :-D), should:

1. Logout from superadmin account;
2. change "var secret" in configuration.php;
3. Clear cache
4. Login to superadmin;
5. Change superadmin password;
6. Push all users to change password immediately or during next login.


Locked

Return to “Security in Joomla! 1.5”