locked out of a drupal 7 site

Today, while working on a new Drupal 7 site, I somehow managed to lock myself out. I knew the admin (UID=1) username, but could not for the life of me get the password right.

Drupal 7 uses a new password hashing mechanism, so I couldn't simply replace the user's password hash with an MD5 hash of a known value (MD5(123); has long been my favourite for these scenarios!). A little bit of digging around in D7 core turned up the user_hash_password() function, which, as its name suggests, generates a hash of your supplied string (this time using SHA512 and a salt). The output of this function is what should be used as the new password in the users table.

For example, user_hash_password(123); returns $P$CD6Nf2aDgnBZZElo/teVOO2.h6sNT9/ as the hash. Replace the existing hash value in the database with this new hash (of a known string!) and you're good to go!

Happy manual-password-reset day!

comments powered by Disqus