Manual:Resetting passwords

There are any number of situations where a user may need to reset their password. Typically, people either forget their password or experience some kind of security breach that may have disclosed their password. For most situations, they can reset their own passwordusing "Email new password".

In situations in which the user forgets their account name or losing access to their email, additional measures may need to be taken by an administrator or system administrator.

If you know the username for an account, you can use the "Email new password" feature on theSpecial:UserLoginpage. To use the feature, visit the Special:UserLogin page for the relevant wiki, fill in the Username field of the form and press the” Email new password "button. A temporary password, along with instructions on how to reset the account's password, will be sent to the email address associated with the username. This will happen even if the email address has not been confirmed.

If you know the email address for a user, but not their username, query theusertable of theMediaWiki databaseto find the associated username. For example, to find the username for[email protected],run the following query:

SELECTuser_nameFROMuserWHEREuser_email='[email protected]';

ThechangePassword.phpmaintenance scriptallows system administrators to change the password for an account. For complete instructions seechangePassword.php. If you are already familiar with maintenance scripts, run the following command frommaintenancesubdirectory:

# set the password for username 'example' to 'newpassword'
phprun.phpchangePassword.php--user=example--password=newpassword

Caution: System administrators should not know the unencrypted password for user accounts. A user may use the same password over many different sites. If one of their accounts that uses the same password is compromised, then suspicion can be thrown on the administrator. It is better touse "Email new password"to force the user to reset the password for their own account or to set a temporary password the user changes directly afterwards.

Special:PasswordResetallows accounts with the 'editmyprivateinfo' permission to reset account passwords for the local installation of MediaWiki.

To use:

• Type username you want to reset in box provided and click "Reset password"
• An automatically generated password will be emailed to the user

For automatically inserting the username in links, useSpecial:PasswordReset?wpUsername=Foo.

Note that (confusingly)Special:ResetPasswordis an older alias toSpecial:ChangePasswordand not related to password resets.

MediaWiki differentiates between "resetting" and "changing" a password. In password reset request (viaSpecial:PasswordResetor from the login page), you will be asked to provide either an email and/or username (this is configurable) and then an email is automatically sent to you with a generated password. No login is required to access this page, but might be restricted with internal permission checks.

In password change request (viaSpecial:ChangePassword), you'll be able to directly change the password on the spot (give the old one, and choose new one), but login is required to access the page. So if you cannot access Special:ChangePassword, use Special:PasswordReset to first get a temporary password to log in. But if you can access the former page, use it directly to change the password, this eliminates the need for the email stage. Special:PasswordReset can be disabled withManual:$wgPasswordResetRoutessetting, if that's the case, and you cannot access Special:ChangePassword, then you need to ask your system administrator for help.

TheresetpasswordAPI provides the same functionality as Special:PasswordReset.

To reset a password you can change the value of theuser_passwordfield inside theusertable in your database. However, it's generally far easier and safer touse "Email new password"oruse the changePassword.php script. You should only use direct DB modification as a last resort, as its very easy to accidentally mess up your wiki. Always backup your database before doing any manual modification. The following only works when using MediaWiki's default authentication provider and default password configuration. If you are using an extension that modifies the authentication process (Like LDAPAuth), the following may not work.

The format you see in theusertable will depend on$wgPasswordDefaultinLocalSettings.php. However if you use a different format, it will automatically be changed to the correct format the next time the user logs in. Thus for this guide, we show how to manually set the "B" format. This format is very easy to set from an SQL query. It is not the default format as it is weaker than pbkdf2, however that's ok as the user_password field will be upgraded to the correct format the next time the user logs in.

MySQL salted (1234 is the salt. You can replace it with any number as long as both places the number is used are the same)

UPDATE`user`SETuser_password=CONCAT(':B:1234:',MD5(CONCAT('1234-',MD5('somepass'))))WHEREuser_name='someuser';

PostgreSQL salted

updatemwuserSETuser_password=text(':B:1234:')||MD5(text('1234-')||MD5('somepass'))WHEREuser_name='someuser';

Also restarting Apache and clearing your browser cache might help.

You can copy the known password from one account to another:

SELECT user_id, user_name, user_password FROM user;
+---------+-----------+----------------------------------------------+
| user_id | user_name | user_password |
+---------+-----------+----------------------------------------------+
| 1 | User1 |:B:1d8f41af:1ba8866d9c43d30b7bc037db03a067de |
| 2 | User2 |:B:ee53710f:4291b056175513a5602d48eaeb79705c |
+---------+-----------+----------------------------------------------+

UPDATE user SET user_password = ':B:ee53710f:4291b056175513a5602d48eaeb79705c' WHERE user_id = 1;