Skip to main content
knackforge blog knowledge base

Different ways to reset Drupal admin password

I was a part of Learn Drupal on Global Drupal Training Day!, Drupal Chennai event to deliver a talk about installation and Drupal in general. The attendees were from different genre, but majority of them were students. After the presentations, Shyamala propounded to form teams and let the student participants to try a Drupal installation and come up with a site of their own taste and novelty.

It was awesome to see the enthusiasm of participants!! From a curious student a relatively simple question was thrown at me. It was,

What if, we don't remember the password that we issued at the time of installation?

Of course they knew it was super admin account, and paramount needed credential to access the site.

While it is pretty simple and being a developer we have done things of this sort every now and then, but to understand the technical capabilities of student and answering from their perspective needs a little more skill. It took me a while to recollect the different paradigm to reset password, I'm jotting down the same in the blog post in the order of complexity,

1. Reset password in Drupal core

Drupal user module ships with a native password reset mechanism. In all Drupal site, page http://example.com/user/password has a simple form that takes username or email address of user that wish to reset his/her password. On form submit, e-mail address bounded to that user's account will receive an email with one-time auto login link and instructions to set new password.

Pros

  • Native solution and relatively easy to use
  • Flawless and secure way to reset password

Cons

  • Needs valid email address to be associated to user account
  • Server running Drupal site must have mail sending feature
  • Current admin must have the access to mailbox of email address bounded to user account

2. Updating user table

Every piece of content in Drupal goes in and out from SQL database. The {user} table in Drupal database maintains the password of users in an encrypted format. Prior Drupal 7, md5() encrypted text was the preferred format to save password but now in Drupal 7 the salted sha512 hash is being used. The API wrapper function user_hash_password() returns the encrypted text for given plain text password in Drupal 7.

The below SQL query would set the username and password of super admin user (uid 1) to admin and drupal respectively. 

For d6 : UPDATE users SET name='admin', pass=md5('drupal') WHERE uid = 1;

For d7 : UPDATE users SET name='admin', pass='$S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x' WHERE uid = 1;

where $S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x is the encrypted text for password drupal. To generate hash text for different plain text Drupal ships with a php script password-hash.sh, cd to drupal root directory and run command "php scripts/password-hash.sh 'mynewpassword'" from command prompt to get encrypted password.

Pros

  • Relatively simple, and handy. Works irrespective of mail server or email account associated to admin user
  • Most widely used when a copy of the production site to be made

Cons

  • Need access to MySQL server (via phpmyadmin or any client)

3. Drush command

Drush commands like upwd or sqlq can set new password for given account.

drush upwd admin --password=drupal

drush sqlq "update users set name='admin', pass='$S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x' where uid = 1;"

Pros

  • Faster way to reset password
  • upwd : Unlike user table update method, drush will take care of encrypting the plain text to needed format (md5 or hash)
  • sqlq : Handles the load of establishing connection to database server and passing the query to database server, by reading the credentials in settings.php

Cons

  • Needs command line access to server which is not easy to avail in shared host environment 
  • Username of admin account need to be know as drush upwd counts on username instead of uid

4. Have a secondary admin

The Drupal 7 user module ships with a special role administrator, This is in addition to anonymous and authenticated user role. Administrator role by default gets access to all the permissions exposed by all modules in Drupal. Creating new users and adding them to administrator role and using the same to administer site is considered as best security practice instead of using single super admin account.

Pros

  • A nice practice to consider when the site is being maintained by more than one administrators
  • From recent log we can get the quick view of operations performed by administrators
  • When one admin user account is compromised the other user account could backup the site without much hassles

Cons 

  • Overhead of creating multiple account

5. Hacking module file

The global variable $user in Drupal represent the user object. It contains account information, logged-in status, etc. Altering $user appropriately can grant admin access to anyone accessing the site as needed. Adding the below snippet to any active module, say hook_exit() in overlay.module would grant super admin access to all the users accessing the site in given time.

 
<?php
global $user;
$user = user_load(1);
?>
 

Pros

  • Simple but needs file level access

Cons

  • Relatively bad approach to gain admin access to site, as it grants the same access to all the users accessing the site
  • Only limited users will have to file level access of a site
  • Could cause serious security risk if used lethargically

Among the approaches listed above #3 and #5 works from file system level, i.e. even if we don't have an user account in Drupal site the back doors in Drupal makes it possible to avail admin access to site with minimal effort.

Comments

greg.1.anderson (not verified)

Mon, 10/15/2012 - 15:38

There is an easier Drush-based solution to this problem; just use the 'user-login' (uli) command.  This will emit a one-time login link that works just like the Drupal native password reset mechanism, but with no need to send / receive an email.  If ran without any arguments, it will default to the admin user, so you do not need to know the name of this account to log in.Of course, shell access to the account is still required.

Anonymous (not verified)

Mon, 10/15/2012 - 20:57

You missed drush uli, which generates a one time use login link. There is also the need to specify sire when using drush in a multisite configuration. E.g. drush uli -l example.com

Richard Eriksson (not verified)

Tue, 10/16/2012 - 00:16

drush uli

That command gets you a one-time login URL where you don't even have to reset the password for the #1 user. Useful for when you don't have access to the email account for the #1 user and don't want to fiddle with database commands or even know the name of the #1 account. And the password stays the same if you don't want it to change.

Hi everyone.

I have accidentally blocked my admin account and automatically the system log me out, now i want to be able to unblock my admin Account so that i can be able to log in again, or if i can be able to add another user as my admin as i have two extra accounts which unfortunately not set as admin.
Please help.

Czoper (not verified)

Tue, 07/12/2016 - 16:24

Great post! Thanks a milion!
And if someone is looking for his/her drupal version try this:
look for a file called CHANGELOG.txt in the root of your Drupal directory and open it up to find the version you are running.
If CHANGELOG.txt is missing, you can also check in system.module for a line at the top like:
define('VERSION', '5.5');

Add new comment

The content of this field is kept private and will not be shown publicly.

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.