Never ending password reset

in Passwords | Tutorial

For those of us who have many passwords and jump between many networks and applications keeping track of it all can become a challenge at times. On occasion one will have to dig into the internals and manually reset that forgetten password to unlock a user account when there are no other administrators around to bail you out. This post is for those times!

Admittedly this account locked phenomena is experienced by the author too frequently. However, these are the things that happen to people constantly tinkering but also to people who have to leave and return to projects after some extended time lapse. So read on if you are like me and your mind has better things to do than remember every password all the time.

Our focus here is on technical users that is those people with root level access to systems and common applications. If that description doesn't fit you then please stop reading right away as your solution lies in the term "Help Desk", Dude across the hall that owes me a favour, that "Forget Password" link, and or god forbid you have to take up the phone to talk to support begging for help!

Below is provided a guide for just a few applications but our hope is that you will all contribute steps for the programs you use daily in the comments that are not covered initially. Once you give this feedback this post will be continually updated to reflect each reset method :)

Reset Ghost user account

By default the ghost platform will lock an account if the user makes 4 or more invalid login attempts. This is not usually an issue as the platform has a built in mailer that will send a reset link to the email associated with the user account.

However, if you are not on a managed service and for instance you did not setup your mail relay and or your mail server is experiencing an outage you are out of luck. Well, No. Not exactly. There is still hope yet! Here is what you need to do.

  1. Login to the OS running the ghost blog with a user account that has read/write permissions on the location containing the ghost content directory.

  2. Stop your blog.

  3. Download and install sqlite3 for your chosen operating system. sqlite is a light weight relational database commonly embedded in applications that uses the Structured Query Language (SQL). It stores each database in a single file and it is what ghost uses to store all the non media data related to the blogs it manages.

  4. Access the database

     sqlite Path/to/ghost/slash/content/data/ghost.db

  5. Verify the status of the account associated with the locked out user. Replace username@address.domain with the actual email address

     select * from users where email='username@address.domain';

  6. Generate a bcrypt hash for the new password. Ghost uses bcrypt to perform the password encryption and hence our new password must also be hashed using bcrypt. No need to go install the binaries just use an online generator like this one or google.

  7. Now that we have a new password hash we can go ahead and reset the password.

     update users set password='bcrypt hash from #5' where email='username@address.domain from #4';

  8. Thats it! Now login at url://your-blog.domain/admin and remember to reset that password to something more lasting.

Dokuwiki admin accounts

This wiki engine stores its user account data in a php file in the document root assuming your are using the default authplain file based authentication plugin. The file you will be interested in is /path/to/docroot/dokwiki-root/conf/users.auth.php

The user file uses the following format:

#
# Userfile
#
# Format:
#
# login:passwordhash:Real Name:email:groups,comma,seperated

Simply replace the hash after the login name to reset the password. Be sure that the hash is generated by an algorithm matching that set in the configuration. You can find which algorithm is in use by

cat Path/to/dokuwiki/conf/local.php

Look for a line similar to the following

$conf['passcrypt'] = 'bcrypt';

In the above example the wiki uses bcrypt but the default is SHA.

MySQL root password

  1. Stop the MySQL server process.

  2. Start the MySQL (mysqld) server/daemon process with the –skip-grant-tables option so that it will not prompt for password.

  3. Connect to mysql server as the root user.

  4. Setup new mysql root account password i.e. reset mysql password.

  5. Exit and restart the MySQL server.

Unix/Linux root

  1. Find a bootable DVD/CD/iso with a live environment

  2. Mount the root disk once in the live environment

     mount <root device> /mnt

    Or if Solaris

     mount c#t#d#s# /a/mnt

  3. Edit the /mnt/etc/shadow

     vi /mnt/etc/shadow

  4. Replace the hash after the username for the affected account with a hash for the new password

  5. Reboot

  6. Login as the user

  7. Reset password

     passwd <username>
Written by Nneko Branche.