Hi!
I was reading about var $secret but I'm still confused.
Can I change var $secret for random number in my website at any time when website have members already? It will cause any problems in the future?
Please answer YES or NO and why... please
var $secret - can I change it at any time or white is black?
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
var $secret - can I change it at any time or white is black?
Last edited by amoooc on Tue Apr 26, 2011 4:32 pm, edited 4 times in total.
-
mandville
- Joomla! Master
- Posts: 15100
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: var $secret - secret word - can I change it multiple tim
http://docs.joomla.org/Help15:Screen.config.15
Secret Word. This is generated when Joomla! is first installed and is not changeable. It is used internally by Joomla! for security purposes.
it is used to salt passwords etc
Secret Word. This is generated when Joomla! is first installed and is not changeable. It is used internally by Joomla! for security purposes.
it is used to salt passwords etc
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - secret word - can I change it multiple tim
I was reading it already but there is no answer for my question. Can I change it multiple times at any time without breaking my website functionality and security?
-
jeffchannell
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: var $secret - secret word - can I change it multiple tim
If you change it, all users (including your Super Administrator) will no longer be able to log in.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
-
mandville
- Joomla! Master
- Posts: 15100
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: var $secret - secret word - can I change it multiple tim
Jeff channell, me and the docs all say no, therefore you can change itmandville wrote: This is generated when Joomla! is first installed and is not changeable. It is used internally by Joomla! for security purposes.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - secret word - can I change it multiple tim
I'm changed var $secret in configuration.php and all users, including Super Administrator still are able to log in. So do you know whats going on? I'm totally confused.jeffchannell wrote:If you change it, all users (including your Super Administrator) will no longer be able to log in.
Regards
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - secret word - can I change it multiple tim
So can someone just answer YES or NO... please. 
-
jeffchannell
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: var $secret - can I change it at any time? PLEASE HELP
It's a "no", with a caveat: you CAN change it (nothing is preventing you!), but any hashed passwords stored in your database will be unusable.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
-
antihack
- Joomla! Enthusiast
- Posts: 163
- Joined: Sat Mar 15, 2008 9:45 pm
- Contact:
Re: var $secret - can I change it at any time? PLEASE HELP
I agree with him though. I change the var secret frequently and never have any issues. I dont understand how someone can still login if its meant to break it.
But now Im just curious lol
But now Im just curious lol
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - can I change it at any time? PLEASE HELP
Yes, it's strange. I was asking few "Joomla experts" from my city :-) and they said that if I'll change secret word I'll be not able to login anymore. BUT ITS NOT TRUE. I see that nobody know :-). 
It's really interesting! I'm curious as well. Maybe there is no answer. Maybe we ever don't need var $secret :-D Maybe we should vote! :DDD
So can I change var $secret at any time ?
If you want answer follow the white rabbit , than choose right pill
It's really interesting! I'm curious as well. Maybe there is no answer. Maybe we ever don't need var $secret :-D Maybe we should vote! :DDDSo can I change var $secret at any time ?
If you want answer follow the white rabbit , than choose right pill
Last edited by amoooc on Tue Apr 26, 2011 4:25 pm, edited 1 time in total.
-
jeffchannell
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: var $secret - can I change it at any time? PLEASE HELP
It looks like I was wrong.
The secret is used in the generation of hashes, but once the password is saved it is no longer tied to the secret - the salt is already in the DB.
The secret is used in the generation of hashes, but once the password is saved it is no longer tied to the secret - the salt is already in the DB.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - can I change it at any time? White is blac
So I'm assuming that if my "secret word" was exposed to public for some reason, all users accounts and passwords are not secure anymore and there is nothing I can do. I'm right?
-
antihack
- Joomla! Enthusiast
- Posts: 163
- Joined: Sat Mar 15, 2008 9:45 pm
- Contact:
Re: var $secret - can I change it at any time? White is blac
in theory. If the secret is exposed, changing the secret and reset all passwords put you back in the saddle. Meaning you secure once again.
-
amoooc
- Joomla! Enthusiast
- Posts: 111
- Joined: Thu Jul 08, 2010 8:17 pm
Re: var $secret - can I change it at any time or white is bl
I'm not sure that you agree...
but
If I'm right, somebody who expose var secret to public (probably only I'm so stupid to do that :-D), should:
1. Logout from superadmin account;
2. change "var secret" in configuration.php;
3. Clear cache
4. Login to superadmin;
5. Change superadmin password;
6. Push all users to change password immediately or during next login.
but
If I'm right, somebody who expose var secret to public (probably only I'm so stupid to do that :-D), should:
1. Logout from superadmin account;
2. change "var secret" in configuration.php;
3. Clear cache
4. Login to superadmin;
5. Change superadmin password;
6. Push all users to change password immediately or during next login.
