Joomla is currently less secure than Wordpress, for example is.

User passwords are salted and hashed and the password's hash and salt are stored in the users table in the database. If there is an SQL injection vulnerability then an attacker finds everything he needs to crack the hashes in the database.

Adding a secret, second salt that is unique for each Joomla site and that is not stored in the DB. I propose a 'pwsecret' property in the configuration.php.
There is already a 'secret' property, but by introducing a new property, the new code won't break existing password hashes, because it recognizes that the site was not yet set-up to use this second salt in it's hashes.
The feature cannot easily be applied to existing installations, but it will not break them and should be used for all new installations.

I have already forked Joomla on github and added this new feature.
See and

Please tell me what you think about it. Thanks!

Opened On:
10 Apr 2013, 5:09 by Andy Wermke
Closed On:
21 Apr 2013, 12:53

Filed Under

  • Authentication & Login
  • Developer


Posted on 10 Apr 2013, 5:13 by Andy Wermke
Sorry, wrong tracker. Hit me.
Moved to:

Please close. Thx.