Different Ways to Reset Drupal Admin Password

Drupal Admin Password

I was a part of Learn Drupal on Global Drupal Training Day!, Drupal Chennai event to deliver a talk about installation and Drupal in general. The attendees were from different genres, but the majority of them were students. After the presentations, Shyamala propounded forming teams and letting the student participants try a Drupal installation and come up with a site of their own taste and novelty.

It was awesome to see the enthusiasm of the participants!! From a curious student, a relatively simple question was thrown at me. It was,

What if, we don't remember the password that we issued at the time of installation?

Of course, they knew it was a super admin account, and paramount needed credentials to access the site.

While it is pretty simple and being a developer we have done things of this sort every now and then, to understand the technical capabilities of students and answer from their perspective needs a little more skill. It took me a while to recollect the different paradigms to reset passwords, I'm jotting down the same in the blog post in the order of complexity,

1. Reset password in Drupal core

Drupal user module ships with a native password reset mechanism. On all Drupal sites, the page https://example.com/user/password has a simple form that takes the username or email address of the user that wishes to reset his/her password. On form submission, the e-mail address bound to that user's account will receive an email with a one-time auto-login link and instructions to set a new password.

Pros

• Native solution and relatively easy to use
• Flawless and secure way to reset password

Cons

• Needs a valid email address to be associated with the user account
• Server running Drupal site must have mail sending feature
• Current admin must have the access to the mailbox of the email address bound to a user account

2. Updating user table

Every piece of content in Drupal goes in and out of the SQL database. The {user} table in the Drupal database maintains the password of users in an encrypted format. Prior to Drupal 7, md5() encrypted text was the preferred format to save passwords but now in Drupal 7, the salted sha512 hash is being used. The API wrapper function user_hash_password() returns the encrypted text for the given plain text password in Drupal 7.

The below SQL query would set the username and password of the super admin user (uid 1) to admin and drupal respectively. 

For d6 : UPDATE users SET name='admin', pass=md5('drupal') WHERE uid = 1;

For d7 : UPDATE users SET name='admin', pass='$S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x' WHERE uid = 1;

where $S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x is the encrypted text for password drupal. To generate hash text for different plain text Drupal ships with a PHP script password-hash.sh, cd to the drupal root directory, and run the command "php scripts/password-hash.sh 'mynewpassword'" from the command prompt to get the encrypted password.

Pros

• Relatively simple, and handy. Works irrespective of a mail server or email account associated with the admin user
• Most widely used when a copy of the production site is to be made

Cons

• Need access to MySQL server (via PHPMyAdmin or any client)

3. Drush command

Drush commands like upwd or sqlq can set a new password for a given account.

drush upwd admin --password=drupal

drush sqlq "update users set name='admin', pass='$S$Drl0vgZ9yuU9uc4JyaTMHxMPriC7q/PsOUOx52fCrVQSTpI/Tu4x' where uid = 1;"

Pros

• A faster way to reset password
• upwd : Unlike the user table update method, drush will take care of encrypting the plain text to the needed format (md5 or hash)
• sqlq : Handles the load of establishing a connection to the database server and passing the query to the database server, by reading the credentials in settings.php

Cons

• Needs command-line access to the server which is not easy to avail in the shared host environment 
• The username of the admin account needs to be known as drush upwd counts on username instead of uid

4. Have a secondary admin

The Drupal 7 user module ships with a special role administrator, This is in addition to anonymous and authenticated user role. Administrator role by default gets access to all the permissions exposed by all modules in Drupal. Creating new users and adding them to administrator role and using the same to administer the site is considered as best security practice instead of using a single super admin account.

Pros

• This a nice practice to consider when the site is being maintained by more than one administrator
• From the recent log, we can get a quick view of operations performed by administrators
• When one admin user account is compromised the other user account could backup the site without any hassles

Cons 

• Overhead of creating multiple accounts

5. Hacking module file

The global variable $user in Drupal represents the user object. It contains account information, logged-in status, etc. Altering $user appropriately can grant admin access to anyone accessing the site as needed. Adding the below snippet to any active module, say hook_exit() in overlay.module would grant super admin access to all the users accessing the site in a given time.

Pros

• Simple but needs file-level access

Cons

• Relatively bad approach to gain admin access to the site, as it grants the same access to all the users accessing the site
• Only limited users will have to file-level access to a site
• Could cause serious security risks if used lethargically

Among the approaches listed above #3 and #5 work from the file system level, i.e. even if we don't have a user account on the Drupal site the back doors in Drupal make it possible to avail admin access to the site with minimal effort.