How to change salt and maintain a workable user login password environment?

[ohl]

Hello,

Are all Guide on the Side users using the same 'Security.salt' in core.php since we downloaded the same core.php file from the sources? Isn't this a security concern?

I'm wondering how may I change the salt and not kill the user login system. I suppose I have to change salt, regenerate the password hash and update the existing "users" table records manually? Is there any built-in facility that does this easily?

Cheers.

[Mike Hagedon]

Hello,

It would be better if we changed the salt per installation. That'd be easier if GotS had an installer. I wonder how usable it'd be to make it part of the installation instructions.

The main security concern is that if someone gets a hold of your database, they'd be able to decrypt the passwords, since everyone has the same salt. If someone compromises the location at which we store the salt (like config.yml), changing wouldn't matter a whole lot. But we should anyway.

I don't think there's going to be a way to regenerate the passwords with a new salt unless you reset everyone's password. GotS can't decrypt the password in order to regenerate it...