Reputation: 3588
Retrieving Joomla Admin Password does not require salt string?
I was debugging a Joomla site that had it's Super User password forgotten. The solution that I found was logging in to the database and changing the password field in the user table to:
d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199
which is the hash for "secret". So far so good, however, I thought that the hash function takes the password and concatenates it with something else, either the username or a salt string or both and then spits out the hash code. To my surprise the above scenario worked so is it safe to conclude the Joomla only hashes the password itself without adding anything else to it?
Upvotes: 2
Views: 87
Answers (1)
Reputation: 6755
Since you saved directly in the database what happened is that the string was effectively '' so it's not that there is no salt, it is that the salt is an empty string. Joomla knows how to handle salts and an empty string is just a special case of a salt, one you should only use temporarily in order to regain access to your site. It's much better to use the root user function since that puts up a big notice reminding you to undo it.
Upvotes: 1
Related Questions
- type hashing password in joomla for my api
- Joomla 3.2.1 password encryption
- What is the format of joomla password?
- joomla : authentication
- Joomla 3.3 crypting in java, get salt value
- Authenticating plain text password against md5 hash
- Password Authentication - Inconsistent Hashes
- Joomla 1.5 password check
- drupal and joomla hash not salted by default?
- Joomla salt enhanced password