What does the secret variable in the global configuration do?

[Chaosxmk]

What exactly does it control, and would it be safe to change it to something else?

[Galcedion]

$secret is part of the global configuration. It is used throughout Joomla for cryptographic operations like generating hashes or performing authentication (for example plugins/user/token/src/Extension/Token.php or libraries/src/Application/MultiFactorAuthenticationHandler.php).

That being said, you can theoretically change it. But any hash or cryptographic key generated before that will be invalidated. Furthermore the variable is generated in a way that is cryptographically secure, so you should just leave it as it is.

[HLeithner]

keep in mind that the "secret" is not secret, I can't remember where but it's leaked somewhere.