May 9

MediaWiki: Resetting passwords

==Methods==

===Use Special:UserLogin===
If you know the username for an account, you can use the “Email new password” feature on the [[Special:UserLogin]] page. To use the feature, visit the Special:UserLogin page for the relevant wiki, fill in the Username field of the form and press the ‘Email new password’ button. A temporary password, along with instructions on how to reset the account’s password, will be sent to the email address associated with the username.

===Finding the username for a given email address===
If you know the email address for a user, but not their username, query the <code>[[Manual:User_table|user]]</code> table of the MediaWiki database to find the associated username. For example, to find the username for <tt>[email protected]</tt>, run the following query:

<source lang=”sql”>
SELECT user_name FROM user WHERE user_email = ‘[email protected]’;
</source>

===Use the changePassword.php maintenance script===
The [[Manual:ChangePassword.php|changePassword.php]] [[Manual:Maintenance_scripts|maintenance script]] allows system administrators to change the password for an account from the command line of the server that MediaWiki is installed on. For complete usage details, review [[Manual:ChangePassword.php|changePassword.php]]. If you are already familiar with maintenance scripts, then simply run the following command:

<source lang=”bash”>
# set the password for username ‘example’ to ‘newpassword’
php changePassword.php –user=example –password=newpassword
</source>

{{caution}} System administrators should not know the unencrypted password for user accounts. A user may use the same password over many different sites. If one of their accounts that uses the same password is compromised, then suspicion can be thrown on the administrator. It is better to use [[#Use Special:UserLogin|use “Email new password”]] to force the user to reset the password for their own account.

===Use Special:PasswordReset===
[[Special:PasswordReset]] allows accounts with the ‘passwordreset’ permission to reset account passwords for the local installation of MediaWiki.

To use:

* Type username you want to reset in box provided and click “Reset password”
* An automatically generated password will be emailed to the user

For automatically inserting the username in links, use <code>Special:PasswordReset?wpUsername=Foo</code>

===Direct database modification===
To reset a password you can change the value of <code>user_password</code> field, in <code>user</code> table. However, it’s generally far easier and safer to [[#Use Special:UserLogin|use “Email new password”]] or [[#Use the changePassword.php maintenance script | use the changePassword.php script]].

==== For MediaWiki Version 1.13 and above ====
You should choose the salted or unsalted method depending on the value of [[Manual:$wgPasswordSalt|$wgPasswordSalt]] in [[Manual:LocalSettings.php|LocalSettings.php]]

; MySQL unsalted:
<source lang=”sql”>
UPDATE user SET user_password = CONCAT(‘:A:’, MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

; MySQL salted (make sure both instances of “somesalt” are the same):
<source lang=”sql”>
UPDATE user SET user_password = CONCAT(‘:B:somesalt:’, MD5(CONCAT(‘somesalt-‘, MD5(‘somepass’)))) WHERE user_name = ‘someuser’;
</source>

;PostgreSQL unsalted:
<source lang=”sql”>
update mwuser SET user_password = text(‘:A:’) || MD5(‘somepass’) WHERE user_name = ‘someuser’;
</source>

;PostgreSQL salted (make sure both instances of “somesalt” are the same):
<source lang=”sql”>
update mwuser SET user_password = text(‘:B:somesalt:’) || MD5(text(‘somesalt-‘) || MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

==== For MediaWiki Version 1.12 and below ====
MySQL:
<source lang=”sql”>
UPDATE user SET user_password = MD5(CONCAT(user_id, ‘-‘, MD5(‘somepass’))) WHERE user_name = ‘someuser’;
</sour==Overview==
There are any number of situations where a user may need to reset their password. Typically, people either forget their password or experience some kind of security breach that may have disclosed their password. For most situations, they can reset their own password [[#Use Special:UserLogin|using “Email new password”]].

In situations that are complicated by the user forgetting their account name or losing access to their email, additional measures may need to be taken by an administrator or system administrator.

==Methods==

===Use Special:UserLogin===
If you know the username for an account, you can use the “Email new password” feature on the [[Special:UserLogin]] page. To use the feature, visit the Special:UserLogin page for the relevant wiki, fill in the Username field of the form and press the ‘Email new password’ button. A temporary password, along with instructions on how to reset the account’s password, will be sent to the email address associated with the username.

===Finding the username for a given email address===
If you know the email address for a user, but not their username, query the <code>[[Manual:User_table|user]]</code> table of the MediaWiki database to find the associated username. For example, to find the username for <tt>[email protected]</tt>, run the following query:

<source lang=”sql”>
SELECT user_name FROM user WHERE user_email = ‘[email protected]’;
</source>

===Use the changePassword.php maintenance script===
The [[Manual:ChangePassword.php|changePassword.php]] [[Manual:Maintenance_scripts|maintenance script]] allows system administrators to change the password for an account from the command line of the server that MediaWiki is installed on. For complete usage details, review [[Manual:ChangePassword.php|changePassword.php]]. If you are already familiar with maintenance scripts, then simply run the following command:

<source lang=”bash”>
# set the password for username ‘example’ to ‘newpassword’
php changePassword.php –user=example –password=newpassword
</source>

{{caution}} System administrators should not know the unencrypted password for user accounts. A user may use the same password over many different sites. If one of their accounts that uses the same password is compromised, then suspicion can be thrown on the administrator. It is better to use [[#Use Special:UserLogin|use “Email new password”]] to force the user to reset the password for their own account.

===Use Special:PasswordReset===
[[Special:PasswordReset]] allows accounts with the ‘passwordreset’ permission to reset account passwords for the local installation of MediaWiki.

To use:

* Type username you want to reset in box provided and click “Reset password”
* An automatically generated password will be emailed to the user

For automatically inserting the username in links, use <code>Special:PasswordReset?wpUsername=Foo</code>

===Direct database modification===
To reset a password you can change the value of <code>user_password</code> field, in <code>user</code> table. However, it’s generally far easier and safer to [[#Use Special:UserLogin|use “Email new password”]] or [[#Use the changePassword.php maintenance script | use the changePassword.php script]].

==== For MediaWiki Version 1.13 and above ====
You should choose the salted or unsalted method depending on the value of [[Manual:$wgPasswordSalt|$wgPasswordSalt]] in [[Manual:LocalSettings.php|LocalSettings.php]]

; MySQL unsalted:
<source lang=”sql”>
UPDATE user SET user_password = CONCAT(‘:A:’, MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

; MySQL salted (make sure both instances of “somesalt” are the same):
<source lang=”sql”>
UPDATE user SET user_password = CONCAT(‘:B:somesalt:’, MD5(CONCAT(‘somesalt-‘, MD5(‘somepass’)))) WHERE user_name = ‘someuser’;
</source>

;PostgreSQL unsalted:
<source lang=”sql”>
update mwuser SET user_password = text(‘:A:’) || MD5(‘somepass’) WHERE user_name = ‘someuser’;
</source>

;PostgreSQL salted (make sure both instances of “somesalt” are the same):
<source lang=”sql”>
update mwuser SET user_password = text(‘:B:somesalt:’) || MD5(text(‘somesalt-‘) || MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

==== For MediaWiki Version 1.12 and below ====
MySQL:
<source lang=”sql”>
UPDATE user SET user_password = MD5(CONCAT(user_id, ‘-‘, MD5(‘somepass’))) WHERE user_name = ‘someuser’;
</source>

PostgreSQL:
<source lang=”sql”>
UPDATE mwuser SET user_password = MD5(text(“user_id”) || text(‘-‘) || MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

==Notes==
Also restarting Apache and clearing your browser cache might help. <!– This seems to be spurious. If so, it’s relatively harmless. –>ce>

PostgreSQL:
<source lang=”sql”>
UPDATE mwuser SET user_password = MD5(text(“user_id”) || text(‘-‘) || MD5(‘somepass’)) WHERE user_name = ‘someuser’;
</source>

==Notes==
Also restarting Apache and clearing your browser cache might help. <!– This seems to be spurious. If so, it’s relatively harmless. –>


Copyright 2021. All rights reserved.

Posted May 9, 2012 by Timothy Conrad in category "Websites

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B