Manual talk:Resetting passwords

From mediawiki.org
Latest comment: 1 year ago by 92.1.52.103 in topic Incorrect syntax for changePassword.php

WikiSysop[edit]

The only reason to manually reset the password is when you don't have sysop privileges to reset user passwords.

Here's the SQL for MySQL and for MediaWiki version 1.13 and later. It is done in one statement and only requires putting the password in one location.

UPDATE `user`
SET user_password = CONCAT(SUBSTRING(user_password, 1, 3),
			   SUBSTRING(MD5(user_name), 1, 8),
			   ':',
			   MD5(CONCAT(SUBSTRING(MD5(user_name), 1, 8),
				      '-', MD5('new password'))))
WHERE user_name = 'WikiSysop';

Reset user_newpassword[edit]

In the SQL commands it is much better to set the user_newpassword field instead of the user_password field. The user_newpassword field will prompt you to change the password. If a troll is trying to find out how to hack into a Wiki, this will keep the same password. It is only slightly more secure than the other way, but every little bit helps. --Randyrls (talk) 12:03, 17 March 2012 (UTC)Reply

Change password for usernames with spaces[edit]

Not entirely clarified in the article.

Syntax to change a password for a username containing spaces, use quotes. Contrary to the article, the entered password would not work unless quoted too.

php changePassword.php --user="user name" --password="user password"

tested on version 1.20.3

Wrong pointer for using Special:PasswordReset in links[edit]

Special:PasswordReset?wpUsername=Foo is suggested as a way to automatically insert usernames in links, however this is not working at all here with 1.26.2, neither as a wikilink or by entering that in the search box no matter if I use it as is, the localized version, or anything in-between. The link returns a "Special page not found" error. --Tactica amiga (talk) 12:37, 1 May 2016 (UTC)Reply

'passwordreset' permission?[edit]

I have been searching if 'passwordreset' is a user right (permission?) that can be set in the $wgGroupPermission array, but can't find any documentation on this. What I did discover is the 'editmyprivateinfo' user right also controls whether the user can request a password reset. If set to false for group(s) then no user in those groups can reset their password. Make sure at least the bureaucrats can in case of emergencies!

Put this in LocalSettings.php if you want to prevent users from resetting their wiki password (useful when authentication is done outside of MediaWiki):

$wgGroupPermission['*']['editmyprivateinfo'] = false;
$wgGroupPermission['bureaucrat']['editmyprivateinfo'] = true;

Disable Special:PasswordReset?[edit]

Is it possible to either disable the Special:PasswordReset special page and/or hide the "Forgot your password?" link on the user login page?

I'm running an enterprise wiki that uses Extension:PluggableAuth + Extension:simplsamlphp to authorize users from a remote SO, but I also need to keep $wgPluggableAuth_EnableLocalLogin = true; for my PyWikiBot to log in

Thanks!

- Revansx (talk) 23:23, 10 June 2020 (UTC)Reply
@Revansx: A little late, but you can set $wgPasswordResetRoutes to false to do so. However take note of these differences regarding password reset and password change. Ammarpad (talk) 15:58, 17 March 2021 (UTC)Reply

Resetting users without e-mail ?[edit]

I might be missing something (as a new user of MediaWiki), but one of the features of MediaWiki is that users can register without entering an email.

In which case, I can't understand why one would want to provide a 'username' with a new password without a registered e-mail (in which case, Special:passwordrest will do the job) - there would be no way to know that the person requesting a new password was in fact that user.

I think there would be justification to have a note to the 'create account' page to say 'If you don't supply an email, you won't be able to have a new password if you forget the one you enter'.

There is no warning on Special:passwordreset, but entering a non-registered e-mail there cannot send a reset; likewise nor will entering a username which has no registered email.

Incorrect syntax for changePassword.php[edit]

The syntax on the changePassword.php page does not use equal signs, and also would be nice to show an example with spaces, so example should be changed to

php changePassword.php --user "some username" --password "the new password"

92.1.52.103 22:00, 13 July 2022 (UTC)Reply