GetSimple has the ability to use Salted passwords. A Salt is an extra input into the cryptographic function that encrypts your password. This makes it much harder for cracking attempts to succeed. The encryption is using more characters than just the password, making it harder (i.e. more time-consuming) to brute-force, and dictionary attacks won't work since the encrypted hash does not represent a word(s).

The gsconfig.php file in GetSimple CMS CE uses two different salt mechanisms for different security purposes.

Purpose:

• Used exclusively for user passwords stored in the database

• Secures admin/login panel access

How It Works:

sha1(password + sha1(GSLOGINSALT))

1. Takes the user's plaintext password

2. If GSLOGINSALT is set:

   • First hashes the salt with SHA1

   • Appends it to the password

3. Hashes the combined string with SHA1

Example:

• Password Token: mysecretword

• System Salt: some&long#key

• Final Hash: sha1("mysecretword" + sha1("some&long#key"))

Where It's Used:

• In the users table's pwd field

• During login authentication

# Extra salt to secure your password with. Default is empty for backwards compatibility.
# define('GSLOGINSALT', 'your_unique_phrase');

⚠️ Important:

• It is recommended that you stay logged in while applying this change to avoid the situation where you can't login later.
• After this change has been applied, you will need to update all user passwords.

Purpose:

• Used to enhance system-wide security by applying a custom unique string.

• Used for cookies/temporary files, session reset, CSRF protection, file uploads, etc.

How It Works:

sha1(value + GSUSECUSTOMSALT)

1. Takes any input value (session ID, filename, etc.)

2. Appends GSUSECUSTOMSALT directly (no pre-hashing)

3. Hashes the combined string with SHA1

Example:

Value: session_abc123

GSUSECUSTOMSALT: securekey456

Final Hash: sha1("session_abc123securekey456")

# Turn off auto-generation of SALT and use a custom value. Used for cookies & upload security.
# define('GSUSECUSTOMSALT', 'your_new_salt_value_here');

⚠️ Important:

• Clear your browser cookies or use a private window.
• Log in again.

After generating hashes, you may need to update gsconfig.php:

Open gsconfig.php (located in your GetSimple root folder).

Update these lines:

    define('GSLOGINSALT', 'your_password_salt_here'); // (Optional)
    define('GSUSECUSTOMSALT', 'your_custom_salt_here'); // (Recommended)

Save the file.

⚠️ Important:

• Always make backups before applying changes.

• If you change GSLOGINSALT, all users must reset passwords.
  (It is recommended that you stay logged in while applying this change, and after the new Salt has been added, update passwords.)

• If you change GSUSECUSTOMSALT, users may need to log in again (sessions reset).