Joomla Admin Password Reset

June 5, 2009 · Filed Under Joomla, Uncategorized · Comment

Went to show off a Joomla based affiliate site to a client yesterday and found some jack-ass person had defaced it. I haven’t had a hacker in several months, so I figured I was due.

His work wasn’t very extensive. It was just a bunch of gibberish on the home page article. I didn’t see any other mischief so I went to log in and clean it up. It had been a long time since I’d logged into this site and autocomplete didn’t budge. I dug my password out of my Password Corral and entered it to no avail. What’s up now? I had a hard time believing a hacker would gain access, change my password, and then only put up a gibberish article on the front page with no links anywhere. Must have changed it myself and then just not entered it into Corral. No matter.

I then started the task of searching out how to reset the admin password in Joomla. Of course Wordpress has a link on the login page to send you a new password when you forget your keys and lock yourself out. I am not sure why this feature hasn’t found it’s way into Joomla. To complicate matters the password handling procedure somehow changed between versions way back so you have to find the right article to get help.

Conventional Wisdom

In a nutshell, the process is simple. The password is in the database all hashed up in MD5, I think. It is ‘unhashable’ but most articles suggest that it is way easier to just insert a known hashed password into the database and change it that way.

That had been my preferred method, however since it has been a while since I have a.) used Joomla much and therefore, b.) locked myself out, I couldn’t find my list of known hashed passwords that I had complied for just such emergencies.

Generic hashed passwords can be found in the Joomla help forums or you can Google up MD5 Hash generators like the one at Miracle Salad. Put in your intended password and it generates the hash you will need for the database.

For Example:

password 5f4dcc3b5aa765d61d8327deb882cf99
ninja 3899dcbab79f92af727c2190bbd8abc5

Very good, now what?

Most will tell you that now the database for your Joomla site has to be modified a bit by pasting the known hash into your database to get your locked-out self back in. This assumes you have access to your database and can navigate around phpMyAdmin.

Easier Approach

There is, however, a much easier and much faster approach to this problem.

Disclaimer. If you totally destroy your database and therefore your site, by poking around the database then don’t blame me. Like with messing around with the Windows Registry, back the stupid thing up before you start.

Log into you control panel and fire up phpMyAdmin. On the left is a list of all your databases assuming there are more than one. Click on the one your Joomla site uses. On the left again is now a list of tables in the selected database. Look for jos_users or whatever prefix you had Joomla use when you installed. Click on users and in the right side of phpMyAdmin, click on the browse tab. The screen should then have a list of the site users, one being ‘administrator’. Click the little pencil near administrator.

Then next screen you see should have tables with the admin name and password hash amongst many other things. On the line called user_pass, in the field under Value, simply enter the password you want to use in plain language. Then in the dropdown to the left under Function click MD5. Click Go to save your work.

Go Try It Out

Now open up a new tab and try your log in with the password you just entered. Should work great. phpMyAdmin should have automatically hashed it for you. Mine did last night. No messing with hash generators and no searching for notes of the generic password hashes you saved from last time. Now, exit phpMyAdmin before you bump something and kill it all.