Resetting Drupal Passwords in Drupal 7 with Drush or Without

Sometimes, whether in testing or other situations, you need to reset a password (often the admin password) for a Drupal site.

Edit: The shortest answer is that two wonderful options are built into drush!

# Get an admin login link
drush uli
# Set the password for any user
drush upwd admin --password="newpassword"

(More info on drush uli below.)

Now for the long version

In Drupal 6, you could just reset the admin password with:

cd <drupal_root_directory>
drush sql-cli   # or mysql -u<user> -p<pass> <drupal_db>
UPDATE users SET name='admin', pass=md5('drupal') WHERE uid=1;

and then log in with username 'admin' and password 'drupal'.

But no more. Drupal 7 has a unique hash for each site, which means you can't just use the md5() trick any more. However, there is a script in the scripts directory that will do this.

cd <drupal root directory>
php scripts/password-hash.sh 'drupal'

Now copy the resultant hash and paste it into the query:

drush sql-cli
update users set name='admin', pass='pasted_big_hash_from_above' where uid=1;
quit

19 comments

by Anon on Sun, 2011-02-13 15:47

Please update the corresponding FAQ entry in the Troubleshooting FAQ.

by rfay on Sun, 2011-02-13 15:51

OK - If you give me a link to what you'd like to update, I will. Or you can, of course.

-Randy

by Damien Tournoud on Mon, 2011-02-14 02:07

I also like:

drush php-eval 'echo user_pass_reset_url(user_load(1));'

That gives you a nice, discreet, password reset URL.

by rfay on Mon, 2011-02-14 07:46

That's really nice, because it allows you to access the account without changing the password, which is a completely different requirement, and very discreet

$ drush php-eval 'echo user_pass_reset_url(user_load(1));'
http://default/user/reset/1/1297692833/obQlmdw-l89V4pdenSbD5-OMIg0Vda8L4JgQ3VjaS

You do have to change the hostname in the URL it gives you, but it's great.

by scor on Mon, 2011-02-14 09:24

Could not live without this feature which is part of Drush 4:
open `drush user-login'
will open your browser and log you in as uid 1 provided you've setup the URI (or copy/paste the path otherwise).

by Scott Lahteine on Thu, 2011-03-03 22:52

It should be mentioned, the 'open' command is a Mac OS X thing. It's not the same as the 'open' alias for 'openvt' in Linux, for example. On the Mac it opens a file or URL in its default handler. And that last single-quote should be a backtick, like this...

open `drush user-login`

by BJ on Wed, 2011-02-23 13:27

Awesome post thank you. Worked perfectly.
My php hash file was named 'password-hash.sh' with a dash instead of an underscore though.
I wrote "php scripts/password-hash.sh 'drupal'"
instead of "php scripts/password_hash.sh 'drupal'"

by rfay on Wed, 2011-02-23 14:43

You were right, of course. I updated the article.

by Scott Lahteine on Thu, 2011-03-03 15:53

When I tried to run the Drush command as-shown with D7 it didn't take until I made a small change:

drush upwd admin --password="newpassword"

Note the addition of the equals-sign with the password flag. Apparently that's the proper syntax now.

by rfay on Thu, 2011-03-03 15:59

You are right. I updated it. Thanks!

by Smith on Mon, 2011-05-30 17:30

I tried using this approach:

cd
php scripts/password-hash.sh 'password'

and placed the resulting hash into a query:

UPDATE users SET mail = a@a.a, pass='$S$CFURCPa.k6FAEbJPgejaW4nijv7rYgGc4dUJtChQtV4KLJTPTC/u' WHERE uid > 0;

and the passwords didn't seem to take. I couldn't login anyway. Am I missing something or is something usually forgotten?

by d1b1 on Tue, 2011-07-19 15:11

You might need to escape the $ in the hashed password value. use \$ and it should work. If you are using the drush_shell_exec() you must escape these values because bash will eval the string. And use the $ represent system variables.

by rfay on Tue, 2011-07-19 17:24

His example is a sql query though... So there shouldn't be any bash escaping going on.

I now use drush uli for nearly every time I need to do something like this.

by d1b1 on Wed, 2011-07-20 07:30

can you provide some more information on the 'drush uli'? I have been working on a module for Aegir that allows the aegir site to hold and update the admin password. Its a client request, that they have the ability to access and edit the admin users password at any time. Not great for security, but it helps with supporting 300+ locked down sites.

My code runs in the post verify site hook and the post install site hook. When we added the d7 platform we found very quickly that the drush upwd did not provide the feature we needed. My hook will request the hash for the desired password from the base install and update the target site using drush sql-query. We solved our related issue with the query by escaping the bash variable elements $ and /.

Thanks

by rfay on Wed, 2011-07-20 07:40

The latest versions of drush have drush uli which just gives you a one-time login link for admin.

$ drush uli
http://default/user/reset/1/1311169130/gf-1uDYC51jONONNF-jq3_ciKfLqhE93SsS9YNAnaEY

Unfortunately it doesn't get the hostname right in most cases (probably there's no way to know it if base_url is not set) so you have to change "default" correct hostname.

So in the case above, I would paste the link into a browser and then change it to

http://example.com/user/reset/1/1311169130/gf-1uDYC51jONONNF-jq3_ciKfLqhE93SsS9YNAnaEY

There I have a one-time login link to user 1 on the site. Works flawlessly.

by NtEditor on Mon, 2011-10-31 02:46

this is indeed a hell of a blog post. Pure awesomeness. I wonder whether the xml rpc login can also be made anonymous through this method?

First of all, thank you very much for the post!

I have a couple follow-up questions:
1. What about users who have usernames with spaces in them?
2. Is there a regularized way to use the UID instead of the username to perform drush user functions?

Apologies in advance for the stupid questions, but I haven't been able to find a good answer to this yet (not even on drush.ws).

Thanks!

by rfay on Mon, 2013-10-28 15:57
  • Put quotes around the username
  • I don't believe that drush upwd or drush uli have a way to act on uids.

by Michelle on Wed, 2014-08-27 09:30

3 years later this blog post is still useful. :) Just saved me a headache!

Drupal theme by Kiwi Themes.