Reset password with MySQL

Question

Is there a way to reset an admin account's password by modifying the MySQL directly?

I've found the craft_users table where the hashed password is stored but I don't know how to hash a string so that it will be read correctly by Craft.

score 135 · Answer 1 · edited Mar 04 '22 at 14:45

135

Future me, looks like you forgot your password again and locked yourself out of Craft. You also made your way back to this Stack Exchange question with @chris' perfect answer. Good! And to make your life really easy this time around, I've already generated a password/hash combos for you that works:

|--------------|---------------------------------------------------------------|
|  *Password*  |                        *Resulting Hash*                       |
|--------------|---------------------------------------------------------------|
|  password    | $2y$13$i1fEVeKiboWR/Hx07N9JtuSZj46KNueAg0IgpwL2TId0sXN.oyibC  |
|--------------|---------------------------------------------------------------|
|  NewPassword | $2y$13$YA.7RIgllODUDcmQPf/.FuXjOmKJYot5QxpFhhf4og9fdJWsIPWK6  |
|--------------|---------------------------------------------------------------|
|  admin       | $2y$13$Nlvh.kEu8FLIITusfjzQgOIIDryqLnJ3TsV/1UINRCFLfVnjJtILK  |
|--------------|---------------------------------------------------------------|

Update: The hashing algorithm didn’t change in Craft 3, so the above combo still works.

Update: The hashing algorithm didn’t change in Craft 4, so the above combo still works.

edited Mar 04 '22 at 14:45

Luke Holder

6,827
14
27

answered Mar 01 '16 at 17:09

carlcs

36,220
5
62
139

10

Past @carlcs, you are a genius! – Lindsey D Mar 17 '16 at 23:14
22

Craft 3: Drop this in a template to render a new password hash {{ craft.app.security.hashPassword('NewPassword') }} Output: $2y$13$3hcn0v5fVCFB28GS3HNJfez3.MY/HaJnomkESPsy7cEN/Hx9skjLq – Sam Hernandez Apr 23 '18 at 20:52
@SamHernandez ooh nice! – carlcs Apr 24 '18 at 07:47
21

I come back to this answer with embarrassing frequency. – Patrick Harrington Aug 15 '18 at 18:43
1

@PatrickHarrington you are not alone my friend – stojda Dec 18 '18 at 15:45
The code to generate the example passwords table above is here: https://gist.github.com/lukeholder/ef09a0e667d864d73244bcd83816ca99 – Luke Holder Dec 13 '19 at 20:32
Is there a way I could use this to get the password hash of users in a craft 2 site so I can add it to an xml file for import to Craft 3 via feedme? – CreateSean Feb 18 '20 at 20:03
3

See these are the kind of people I love. I don't want to know how to generate the damn password, I just want to login into my local version so I can resume work. I will change it later once I log in. Thank you! – Rohan Jun 12 '20 at 11:51
4

Wish I could vote for this every time I come back and grab this hash. Would be properly embarrassing just how many votes I would have given it now. – neekster Aug 20 '20 at 04:47
1st time comment-or, 5th time user. Hat's off. – Jeff Irwin Dec 22 '21 at 00:14
1

This must be the 50th time I've come back to this answer. It feels like an old friend now, always there for me in times of need. – solarise Feb 11 '22 at 09:53

score 38 · Accepted Answer · answered Feb 19 '16 at 12:49

38

Craft uses Yii's CPasswordHelper::hashPassword which is a Blowfish hash algorithm, using PHP's crypt function with a "blowFishHashCost", which is a setting that can be found through craft()->config->get('blowfishHashCost')

You could use the SecurityService::hashPassword function to generate a new password, echo it, and update it in the DB manually: craft()->security->hashPassword('NewPassword');

answered Feb 19 '16 at 12:49

chris

906
6
10

Thanks! This is really helpful. Is there any way this can be done in a Twig template? Or can the hashPassword function only be called from a plugin? – bravokiloecho Feb 19 '16 at 12:57
i'd setup a temporary plugin (just the handle; ResetPlugin.php with an init function, in the init function you "Dump and Die" (Craft::dd(SecurityService::hashPassword('test'))) and after that, you delete it :) – chris Feb 19 '16 at 13:07
4

Just in case anyone else needs to do this, I made a plugin here: https://github.com/bravokiloecho/craft-password-helper – bravokiloecho Feb 19 '16 at 17:38
1

This tweet shows you how to reset the password to secret -> https://twitter.com/nystudio107/status/1063135843441954816 – andrew.welch Dec 19 '18 at 19:49

score 7 · Answer 3 · answered Dec 19 '18 at 19:31

7

If you don't want to mess about trying to insert code in the Craft/Yii stack, v3 just calls password_hash():

password_hash($your_password_string, PASSWORD_DEFAULT, ['cost' => 13]);

As a possibly helpful addendum (I was just trying to run the site locally and needed to log in); if you find you still can't login after changing the password via the database and are running PHP locally, it might be because you're accessing via socket and should add this to config/general.php:

'requireUserAgentAndIpForSession' => false,

answered Dec 19 '18 at 19:31

tjbp

171
1
1

I added this echo password_hash($your_password_string, PASSWORD_DEFAULT, ['cost' => 13]); to web/index.php; got a password on page reloaad then removed it. – Keith John Hutchison Nov 10 '23 at 06:49
As at 2023-11-10 there is an online bcrypt generator https://bcrypt.online/ – Keith John Hutchison Nov 10 '23 at 06:50

Reset password with MySQL

3 Answers3

Linked