Resetting Drupal Passwords in Drupal 7 with Drush or Without

Sometimes, whether in testing or other situations, you need to reset a password (often the admin password) for a Drupal site.

Edit: The shortest answer is that two wonderful options are built into drush!

# Get an admin login link
drush uli
# Set the password for any user
drush upwd admin --password="newpassword"

(More info on drush uli below.)

Now for the long version

In Drupal 6, you could just reset the admin password with:

cd <drupal_root_directory>
drush sql-cli   # or mysql -u<user> -p<pass> <drupal_db>
UPDATE users SET name='admin', pass=md5('drupal') WHERE uid=1;

and then log in with username 'admin' and password 'drupal'.

But no more. Drupal 7 has a unique hash for each site, which means you can't just use the md5() trick any more. However, there is a script in the scripts directory that will do this.

cd <drupal root directory>
php scripts/password-hash.sh 'drupal'

Now copy the resultant hash and paste it into the query:

drush sql-cli
update users set name='admin', pass='pasted_big_hash_from_above' where uid=1;
quit

19 Comments

Please update the

Please update the corresponding FAQ entry in the Troubleshooting FAQ.

I also like:

I also like:

drush php-eval 'echo user_pass_reset_url(user_load(1));'

That gives you a nice, discreet, password reset URL.

This gets you in without changing the password.

That's really nice, because it allows you to access the account without changing the password, which is a completely different requirement, and very discreet

$ drush php-eval 'echo user_pass_reset_url(user_load(1));'
http://default/user/reset/1/1297692833/obQlmdw-l89V4pdenSbD5-OMIg0Vda8L4JgQ3VjaS

You do have to change the hostname in the URL it gives you, but it's great.

Mac, and oh those backticks...

It should be mentioned, the 'open' command is a Mac OS X thing. It's not the same as the 'open' alias for 'openvt' in Linux, for example. On the Mac it opens a file or URL in its default handler. And that last single-quote should be a backtick, like this...

open `drush user-login`

Awesome thank you

Awesome post thank you. Worked perfectly.
My php hash file was named 'password-hash.sh' with a dash instead of an underscore though.
I wrote "php scripts/password-hash.sh 'drupal'"
instead of "php scripts/password_hash.sh 'drupal'"

Fixed

You were right, of course. I updated the article.

Minor tweak...

When I tried to run the Drush command as-shown with D7 it didn't take until I made a small change:

drush upwd admin --password="newpassword"

Note the addition of the equals-sign with the password flag. Apparently that's the proper syntax now.

Updated

You are right. I updated it. Thanks!

didn't work

I tried using this approach:

cd
php scripts/password-hash.sh 'password'

and placed the resulting hash into a query:

UPDATE users SET mail = a@a.a, pass='$S$CFURCPa.k6FAEbJPgejaW4nijv7rYgGc4dUJtChQtV4KLJTPTC/u' WHERE uid > 0;

and the passwords didn't seem to take. I couldn't login anyway. Am I missing something or is something usually forgotten?

Fix for the update in bash

You might need to escape the $ in the hashed password value. use \$ and it should work. If you are using the drush_shell_exec() you must escape these values because bash will eval the string. And use the $ represent system variables.

His example is a sql query though

His example is a sql query though... So there shouldn't be any bash escaping going on.

I now use drush uli for nearly every time I need to do something like this.

uli?

can you provide some more information on the 'drush uli'? I have been working on a module for Aegir that allows the aegir site to hold and update the admin password. Its a client request, that they have the ability to access and edit the admin users password at any time. Not great for security, but it helps with supporting 300+ locked down sites.

My code runs in the post verify site hook and the post install site hook. When we added the d7 platform we found very quickly that the drush upwd did not provide the feature we needed. My hook will request the hash for the desired password from the base install and update the target site using drush sql-query. We solved our related issue with the query by escaping the bash variable elements $ and /.

Thanks

drush uli

The latest versions of drush have drush uli which just gives you a one-time login link for admin.

$ drush uli
http://default/user/reset/1/1311169130/gf-1uDYC51jONONNF-jq3_ciKfLqhE93SsS9YNAnaEY

Unfortunately it doesn't get the hostname right in most cases (probably there's no way to know it if base_url is not set) so you have to change "default" correct hostname.

So in the case above, I would paste the link into a browser and then change it to

http://example.com/user/reset/1/1311169130/gf-1uDYC51jONONNF-jq3_ciKfLqhE93SsS9YNAnaEY

There I have a one-time login link to user 1 on the site. Works flawlessly.

this is indeed a hell of a

this is indeed a hell of a blog post. Pure awesomeness. I wonder whether the xml rpc login can also be made anonymous through this method?

what about usernames with spaces and/or using the UID instead?

First of all, thank you very much for the post!

I have a couple follow-up questions:
1. What about users who have usernames with spaces in them?
2. Is there a regularized way to use the UID instead of the username to perform drush user functions?

Apologies in advance for the stupid questions, but I haven't been able to find a good answer to this yet (not even on drush.ws).

Thanks!

Put quotes around the

  • Put quotes around the username
  • I don't believe that drush upwd or drush uli have a way to act on uids.

Thanks!

3 years later this blog post is still useful. :) Just saved me a headache!