Table of Contents

Change the Admin Password to Salted

Purpose

This entry is because a few people seem to have had some trouble converting their GetSimple installation from unsalted to salted logins. This entry will hopefully form a base topic to which we can point future requests.

Since you are switching from unsalted to salted, a process that assumes you are a bit knowledgeable about admininistration, I'm going to assume you know what FTP is, what a shell is, and what gsconfig.php does.

Why

GetSimple now has the ability to use salted passwords. A salt is an extra input into the cryptographic function that encrypts your password. This makes it much harder for cracking attempts to succeed. The encryption is using more characters than just the password, making it harder (i.e. more time-consuming) to brute-force, and dictionary attacks won't work since the encrypted hash does not represent a word(s).

Of course, it's important that the salt be a good length and that it contains the usual mix of non-alphanumerics, upper and lower case, and so on.

The beauty of using a salt is that your admin password can be a reasonable length for a human to remember, saving you from having to type a 30 character long string of gobbledy-gook, yet the resulting hashed password token, because it is also using the salt, will have plenty of characters to generate a decent hash.

Problem

The problem with switching from unsalted to salted passwords is that the admin's password will no longer be recognised after making the configuration changes, and the admin cannot log in. This is because the hash token stored by GetSimple is based on the unsalted password and it won't match the token being requested by the authorisation mechanism, which was generated using the salt.

We need to somehow step through the process so that we can set GetSimple's config to use salted logins, and still allow admin to login.

How

It is actually quite simple:

I use a web-host company that provides shell access, so I can edit gsconfig.php right on the server. If you don't have shell access (you would know if you did), you might have to FTP gsconfig.php down to your computer, make the changes, and then FTP it back up to your server.

Step One: Login

Log in as admin on your GetSimple site. This is purely so that you are currently logged in, to avoid the situation where you can't login later.

Step Two: Edit gsconfig.php

Edit gsconfig.php, either by downloading it or by editing directly on the server. You are going to add the line that sets GetSimple to use salted logins. You can also add the line that sets GetSimple to use your own custom salt for cookies and uploads.

Get a salt

The salt should be a mix of alphanumerics, non-alphanumerics, upper and lower case characters, and it should be a decent length. GetSimple use 55 characters for their salts.

You can get a salt generated for you from GetSimple's API here, which is probably the easiest way. Refresh the page a few times until you get a salt that looks completely random. Notice that the page shows two salts, one for logins and one for your custom salt for cookies and uploads. Here is an example output:
define('GSLOGINSALT', 'w7M%_G%CZrBjxMfdBNHhqfKZ7O7%lc_0fJ5k-CE4TjJBZxUayc^ODiv');

define('GSUSECUSTOMSALT', '-N0iquC47bueHs9YAyMBF6w=ny1WiTJnFcckR K~iW^s9IMy1cD^nUS');

Add the lines

Add (or uncomment the existing lines) to gsconfig.php:
define('GSLOGINSALT', ' …. your salt … ');

You have now added a salt that GetSimple will use when generating the login password token.

Upload gsconfig.php to your installation.

If you want a custom cookie salt, you can change the following, DO NOT CHANGE THIS AT THE SAME TIME AS GSLOGINSALT
define('GSUSECUSTOMSALT', ' … your other salt … ');

Step Three: Change admin password

Important Don't miss this step, it is the crux.

Your installation now wants salted passwords, but your admin password token that is currently stored in the system was generated from an unsalted source (i.e. the vanilla password). You need to change it.

In your browser, you are already logged in as admin from Step One. Go to Settings (Website Settings) and change the password. You can re-use the same password that you had before, it doesn't matter. This step will force the system to generate a new token for the admin password.

You are done. Logout and try logging back in. You should be good to go.

How to undo

If you cannot log back in to GetSimple, something went wrong.

Download the gsconfig.php file, edit it and comment out the lines you added above by inserting a # char at the beginning of the line. Upload the file. You are no longer using salted logins and your old password should work again.