Hi all,

I think that the D7 users table does not store a simple md5 hex hash. Does this mean that this mysql query...

UPDATE users SET pass = MD5('mynewpassword') WHERE uid = 1;

...which works in D6 will not work in D7 and if so how do I reset the admin password in D7?

Thanks

Comments

bojanz’s picture

Drupal 7 stores a salted sha512 hash.

You can always use the user_hash_password('mypassword') function (located in includes/password.inc) to make yourself a new one, then paste it into the database.

Juc1’s picture

OK thanks I can see this code in my includes/password.inc...

function user_hash_password($password, $count_log2 = 0) {
  if (empty($count_log2)) {

...but how do I create a new password?

Thank you

bojanz’s picture

Open index.php, add at the top: echo user_hash_password('mynewpassword'); die();
Then visit your site, you'll get the hashed "mynewpassword", copy it, open index.php, revert your changes, update the database with the hash you got...

Juc1’s picture

Ok thanks but I am probably getting the syntax wrong. Should my index.php look like this...

<?php
echo user_hash_password('obama');
die();

// $Id: index.php,v 1.99 2009/10/15 14:07:25 dries Exp $
/**
* @file
* The PHP page that serves all page requests on a Drupal installation.
*
* The routines here dispatch control to the appropriate handler, which then
* prints the appropriate page.
*
* All Drupal code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*/

/**
* Root directory of Drupal installation.
*/
define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
menu_execute_active_handler();

Thank you

bojanz’s picture

Add it after drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

Juc1’s picture

Ok thanks do you mean this because it gives a white screen....

<?php 
// $Id: index.php,v 1.99 2009/10/15 14:07:25 dries Exp $
/**
* @file
* The PHP page that serves all page requests on a Drupal installation.
*
* The routines here dispatch control to the appropriate handler, which then
* prints the appropriate page.
*
* All Drupal code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*/

/**
* Root directory of Drupal installation.
*/
define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
echo user_hash_password('obama');
die();
menu_execute_active_handler();

Thanks

liquid06’s picture

The error I saw after doing this was "Call to undefined function user_hash_password()" There's one more piece needed, pointed out by esteewhy in this comment.

If you add require_once 'includes/password.inc'; before the echo user_hash_password('password'); line, modifying the index file will output the hash you need. If you're comfortable using drush, though, that method is simpler. Plus it doesn't make your site totally inaccessible while you're fixing a password. >.<

pefferen’s picture

It might be easier to just run the standard drupal script from the root of your installation:
./scripts/password-hash.sh

cheers

codeglyph’s picture

@dutchguy (using reset script)

This worked for me.
Thanx.

petabyte’s picture

@pefferen: You're my king. Passwort reset for real hackerz worked! ::) Always wondered what mysterious tools reside in that folder ... now I know.

Content is king.

jcallanan’s picture

How do I run this script?

John Callanan

phryk’s picture

Open up a terminal, cd into the root directory of your drupal and execute
php scripts/password-hash.sh <yournewpassword>
with <yournewpassword> substituted for whatever you want as a password.

The php binary/executable has to be found in one of the directories listed in your $PATH environment variable for this.

torgosPizza’s picture

If you add require_once 'includes/password.inc'; before the echo user_hash_password('password'); line, modifying the index file will output the hash you need.

This worked for me. Thanks!

Have I helped you? Consider buying me a beer.

linkuncha0’s picture

it didn't work for drupal 7.4 ?

everytime I executed it , it did create a hash
but they are different ?
can you tell me why ?
Is't change for drupal 7.4 ?

thank you

oknate’s picture

edit your index.php to look like this:

define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

require('includes/password.inc');

echo user_hash_password('mypassword');
die();
menu_execute_active_handler();

Nate Andersen

happyjoker’s picture

its worked for me too

sivaguru_drupal’s picture

This worked for me too.

purna_dey’s picture

<?php
/**
 * @file
 * The PHP page that serves all page requests on a Drupal installation.
 *
 * The routines here dispatch control to the appropriate handler, which then
 * prints the appropriate page.
 *
 * All Drupal code is released under the GNU General Public License.
 * See COPYRIGHT.txt and LICENSE.txt.
 */

/**
 * Root directory of Drupal installation.
 */
define('DRUPAL_ROOT', getcwd());

require_once
DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

require_once
'includes/password.inc';
echo
user_hash_password('givenpassword');
die();

menu_execute_active_handler();
?>

After solved this problem, must removed the code from index.php

CarlHinton’s picture

drush ev "include_once('includes/password.inc');db_update('users')->fields(array('pass' => user_hash_password('password'),))->condition('uid', 1, '=')->execute();"

And there's no copy and paste either.

uberhacker’s picture

Ah, but yet there is even an easier way in drush. Sometimes user 1 is renamed from admin. To find the name of uid 1, execute the following:

drush sqlq "select name from users where uid=1"

Results will be similar to below:

name
admin

Once you know the name, you can reset the password as follows:

drush upwd admin --password=pass

Replace admin with the name from above and pass with the new password. If you want to include spaces in the password, enclose the whole password in double quotes.

Jaypan’s picture

The easiest thing to do is run drush uli

uberhacker’s picture

Doesn't that require that you cut and paste a url and then you still need to reset the password? Easiest doesn't necessarily mean the fastest.

Jaypan’s picture

Doesn't that require that you cut and paste a url

Yes.

Easiest doesn't necessarily mean the fastest.

No, but usually the easiest will be the fastest, particularly if you consider that more difficult methods open up the potential for making mistakes, which take time to figure out where the mistake is, and fix it.

jcallanan’s picture

I have found the password.inc file, but how do you execute it?

John Callanan

vannus’s picture

so in the end your index.php (or if your like me, your pass.php) will now be

<?php
// $Id: index.php,v 1.99 2009/10/15 14:07:25 dries Exp $

/**
* @file
* The PHP page that serves all page requests on a Drupal installation.
*
* The routines here dispatch control to the appropriate handler, which then
* prints the appropriate page.
*
* All Drupal code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*/

/**
* Root directory of Drupal installation.
*/
define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

require_once 'includes/password.inc';
echo user_hash_password('mynewpassword');
die();

menu_execute_active_handler();

if you changed index.php - remember to change it back!!!!
if you made pass.php - remember to delete it!!!!

- V

laura s’s picture

For people who stumble across this, see Forgotten your Drupal 7 account password.

_____ ____ ___ __ _ _
Laura Scott :: design » blog » tweet

wdrupal100’s picture

heres the hash for 'password' (without the quotes)

$S$CDbdwZvjHQ09IVRs88G0fnaxPr50/kb81YI9.8M/D9okW7J/s5U4

now you dont have to code anything!

beanluc’s picture

The hash is salted with details from your own Drupal 7 installation. Other users can't use this hash. That's the way it works in Drupal 7. The entire point of using SHA with a lot of salt is that people should not be able to get from a hash to a known plaintext. That's what was weak about the plain-vanilla MD5 hashing before D7.

kurtzhong’s picture

There is a drupal hash script which could help u to generate a password hash from plain text.

If I want to set my password for user 'admin' to 'mynewpass', then first in the drupal root directory, run the script:
$ ./scripts/password-hash.sh 'mynewpass'

Then it will outout something like this:

password: mynewpass hash: $S$CGM3hk.Fvl/pQlirfJmIQiXMOdifVR.wPoyT9e81ktxAStq7pmGK

And then use the following SQL to update the password:

UPDATE users SET pass='$S$CGM3hk.Fvl/pQlirfJmIQiXMOdifVR.wPoyT9e81ktxAStq7pmGK' where uid=1;

You could check the script itself to find more details.Good luck.

freebug’s picture

I was able to reset my admin password by following the steps given at http://drupal.org/node/1023428

Windows users will of course have to add the PHP executable to their environment path.

Also I could unblock my locked account with the steps given at http://drupal.org/node/1023440

jcallanan’s picture

Here's what I get. Any ideas?

-bash-3.2$ ./scripts/password-hash.sh "newpassword"
X-Powered-By: PHP/5.3.19
Content-type: text/html

Warning: include_once(/home/pixelhou/public_html/comtech/scripts/includes/password.inc) [function.include-once]: failed to open stream: No such file or directory in /home/pixelhou/public_html/comtech/scripts/password-hash.sh on line 83

Warning: include_once() [function.include]: Failed opening '/home/pixelhou/public_html/comtech/scripts/includes/password.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pixelhou/public_html/comtech/scripts/password-hash.sh on line 83

Warning: include_once(/home/pixelhou/public_html/comtech/scripts/includes/bootstrap.inc) [function.include-once]: failed to open stream: No such file or directory in /home/pixelhou/public_html/comtech/scripts/password-hash.sh on line 84

Warning: include_once() [function.include]: Failed opening '/home/pixelhou/public_html/comtech/scripts/includes/bootstrap.inc' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/pixelhou/public_html/comtech/scripts/password-hash.sh on line 84

Fatal error: Call to undefined function user_hash_password() in /home/pixelhou/public_html/comtech/scripts/password-hash.sh on line 87
-bash-3.2$

John Callanan

Carnix’s picture

waynef100: fail. Drupal sets the salts dynamically in the settings.php file per site. (not trying to be a troll here, just putting it out there so ppl don't get blocked by the flood filters). BTW, if that happens, truncate the flood table... I've seen some other methods, but that's what works for me. If you're on a production site and you think and attack is in progress, don't do it that way :)

girishmuraly’s picture

truncate flood;
worked for me, thanks for the pointer @Carnix.

I was blocked due to the repeated failed login attempts, even after resetting my password using the password-hash.sh script.

kris-o3’s picture

was struggling with this on a recent localhost re-install...
TRUNCATE flood;
did the trick.

tejaspmehta’s picture

http://drupal.org/node/992400#comment-4673708 has worked for me...

Thank you
Tejas Mehta

Thank you
Tejas Mehta

thaik77’s picture

hello
i like save in dr_users > pass filed or maybe new one field in table
md5 passowrd not drupal 7 format pws
why???
because i have some software than just working with also md5 pws
what can i do???
maybe something in password.inc
someboy can help me???

TanvirAhmad’s picture

Here you find the easy solution to change D7 admin password...

http://drupaldr.blogspot.com/2012/06/how-to-reset-root-password-in-drupa...

Cheers

t@n

TanvirAhmad’s picture

Just a one line command of drush... and you are done...

http://drupaldr.blogspot.com/2012/06/resetting-drupal-passwords-in-drupa...

Cheers

t@n

batigolix’s picture

the one line drush command is:

drush uli

corneliusparkin’s picture

I am new to Drupal and struggled with this for some time. If you do not have the drush module installed, then it becomes virtually impossible to change your password. The answer is here: http://chillburn.com.au/blog/changing-resetting-the-admin-password-in-dr...

Basically, your index page should look like this. Just remember to undo it!
01 <?php
02 define('DRUPAL_ROOT', getcwd());
03
04 require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
05 drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
06
07 require_once 'includes/password.inc';
08
09 //change the password here.
10 $my_new_password = 'password';
11
12 printf('UPDATE users SET pass=\'%s\' WHERE uid=1;', user_hash_password($my_new_password));
13 exit();

batigolix’s picture

If you do not have drush than you can find here, http://drupal.org/node/1023428 , many ways to recover the password

gajendra sharma’s picture

i have use mypass.php file then paste this code "drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL)" , Run file and get Some code like MD5 format values but can't be work.

<?php
define
('DRUPAL_ROOT', getcwd());
require_once
DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
 
require_once
'includes/password.inc';
echo
user_hash_password('newpassword');
 
die();
menu_execute_active_handler();
?>

Gajendra sharma

krishnakrgupta’s picture

Really worked for me . Thank You !

Regards,
Krishna Kumar Gupta
Email: krishnakrgupta@gmail.com
skype: webengg
gTalk: krishnakrgupta@gmail.com
Phone: +91-8826477908
www.krishnakumargupta.com

Ayesh’s picture

Just for the completeness of this thread, there is a doc file Recovering the administrator password with a PHP file (Drupal7)

// Ayesh
(Latest blog post: Drupal bad practices)

geerlingguy’s picture

See also: Recovering the administrator password.

If you have drush, you can just do drush uli, copy the one-time login link drush gives you, and paste it in your browser.

__________________
Work: Midwestern Mac, LLC | Personal: jeffgeerling.com

balasweb2’s picture

Thank you!

Drupal Password has been reset with ur ideas.

i tried:

<?php

/**
* @file
* The PHP page that serves all page requests on a Drupal installation.
*
* The routines here dispatch control to the appropriate handler, which then
* prints the appropriate page.
*
* All Drupal code is released under the GNU General Public License.
* See COPYRIGHT.txt and LICENSE.txt.
*/

/**
* Root directory of Drupal installation.
*/
define('DRUPAL_ROOT', getcwd());

require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
require('includes/password.inc');
echo user_hash_password('123456'); // 123456 = my password
die();
menu_execute_active_handler();

Edward Davies’s picture

Here is the drush command to change the password of any user, it helped me when I was in the same situation:

drush upwd username --password="newpassword"

ashutosh1629’s picture

Thanks worked for me:))

ASHUTOSH GUPTA

navi85sin’s picture

Use drupal's root directory to write the below script :
php ./scripts/password-hash.sh NewPassword

Note* php should be installed to execute this shell script

It will return :

password: NewPassword hash: $S$DRSUIz9NFfxOXKPveQ00UTGMzsJe62LjYvVHfYJ8I8wuy4zRqVBK

Then we just need to update this password to user table with the help of following command :
Replace the hash key generated above in below query

UPDATE users SET pass = '$S$DRSUIz9NFfxOXKPveQ00UTGMzsJe62LjYvVHfYJ8I8wuy4zRqVBK' WHERE uid = 1;

Nav

gajendra sharma’s picture

drush upwd --password="newpassword" "admin"
[admin is the site username]

Gajendra sharma