Tales from the Evil Empire

Bertrand Le Roy's blog


Bertrand Le Roy

BoudinFatal's Gamercard

Tales from the Evil Empire - Blogged

Blogs I read

My other stuff


Recovering the admin password in Orchard

(c) Bertrand Le Roy 2003These things happen, and it seems hopeless at first: you've locked yourself out of your own site and that's that. Well, not quite. If you still have access to the database there is a way out. Access may be through FTP and WebMatrix or Visual Studio if using SQL CE or through SQL Server Management Studio or whatever is your preferred way to access your database. In this tutorial I'll use WebMatrix over a local SqlCe database but other tools would work just as well with minor differences.

Open the database and go to the Orchard_Users_UserPartRecord table. You should see something like this:The user table

As you can see, the passwords are stored hashed, and the password format is specified for each user. Possible values are Hashed (the default), Encrypted and Clear.

Edit the Password column and replace the value with a temporary reset password of your choice. Then edit the PasswordFormat column and set it to Clear.Resetting the admin password

Now you should be able to log into the site using these new credentials.

You should now click on the "admin" link in order to change that password:The admin link

The reset password screenOnce your password is reset, the data in the table should be back to a hashed password:The password is back to hashed state

Many thanks to Sébastien Ros for hinting me to this trick.


Jay said:

Thanks for your post, but wouldn't it be possible/easier to insert a hashed password directly into DB? I guess everyone who has to deal with CMS's knows how to hash/encode a password using a SHA1/Base64 generator.

BTW: I think the term "encrypted" is a little bit misleading in this context. I think Base64 encoded passwords should be referred to as "encoded" instead of "encrypted" passwords.

PS: Is there a way to change the encryption from SHA1 to a more secure algorithm like SHA2? Would it be possible to overwrite the UserPartRecord setting and update all existings passwords (using a module or something)?

# April 29, 2011 1:00 AM

Bertrand Le Roy said:

@Jay: wow, not by any stretch of the imagination. Not that many people know how to hash a password, and even if you do, this is considerably easier. You are also fogetting about the salt here.

And BTW, I did not talk about encryption at all in the post, so I'm not sure what you mean here.

To move to a better hash algorithm, you can always replace the implementation, using a module, yes.

# April 29, 2011 1:07 AM

RichB said:

Why no password iteration count?

# April 29, 2011 1:46 AM

Bertrand Le Roy said:

@Rich: because you haven't contributed it yet.

# April 29, 2011 1:48 AM