Joomla 1.0.13 New Password Hashing Method Means NO Compatibilty

Ever since the conception of Mambo/Joomla the passwords for admins and users have been converted into a md5 hash string and stored to the database.

In Joomla 1.0.13 (About time too!) this has changed.  The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.

This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!

Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.

The salting of passwords is a good security step – we praise the core team for doing it – HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark – remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 – you have now been warned!