Manual talk:Resetting passwords

Jump to navigation Jump to search


The only reason to manually reset the password is when you don't have sysop privileges to reset user passwords.

Here's the SQL for MySQL and for MediaWiki version 1.13 and later. It is done in one statement and only requires putting the password in one location.

UPDATE `user`
SET user_password = CONCAT(SUBSTRING(user_password, 1, 3),
			   SUBSTRING(MD5(user_name), 1, 8),
			   MD5(CONCAT(SUBSTRING(MD5(user_name), 1, 8),
				      '-', MD5('new password'))))
WHERE user_name = 'WikiSysop';

Reset user_newpassword[edit]

In the SQL commands it is much better to set the user_newpassword field instead of the user_password field. The user_newpassword field will prompt you to change the password. If a troll is trying to find out how to hack into a Wiki, this will keep the same password. It is only slightly more secure than the other way, but every little bit helps. --Randyrls (talk) 12:03, 17 March 2012 (UTC)

Change password for usernames with spaces[edit]

Not entirely clarified in the article.

Syntax to change a password for a username containing spaces, use quotes. Contrary to the article, the entered password would not work unless quoted too.

php changePassword.php --user="user name" --password="user password"

tested on version 1.20.3

Wrong pointer for using Special:PasswordReset in links[edit]

Special:PasswordReset?wpUsername=Foo is suggested as a way to automatically insert usernames in links, however this is not working at all here with 1.26.2, neither as a wikilink or by entering that in the search box no matter if I use it as is, the localized version, or anything in-between. The link returns a "Special page not found" error. --Tactica amiga (talk) 12:37, 1 May 2016 (UTC)

'passwordreset' permission?[edit]

I have been searching if 'passwordreset' is a user right (permission?) that can be set in the $wgGroupPermission array, but can't find any documentation on this. What I did discover is the 'editmyprivateinfo' user right also controls whether the user can request a password reset. If set to false for group(s) then no user in those groups can reset their password. Make sure at least the bureaucrats can in case of emergencies!

Put this in LocalSettings.php if you want to prevent users from resetting their wiki password (useful when authentication is done outside of MediaWiki):

$wgGroupPermission['*']['editmyprivateinfo'] = false;
$wgGroupPermission['bureaucrat']['editmyprivateinfo'] = true;

Disable Special:PasswordReset?[edit]

Is it possible to either disable the Special:PasswordReset special page and/or hide the "Forgot your password?" link on the user login page?

I'm running an enterprise wiki that uses Extension:PluggableAuth + Extension:simplsamlphp to authorize users from a remote SO, but I also need to keep $wgPluggableAuth_EnableLocalLogin = true; for my PyWikiBot to log in


- Revansx (talk) 23:23, 10 June 2020 (UTC)
@Revansx: A little late, but you can set $wgPasswordResetRoutes to false to do so. However take note of these differences regarding password reset and password change. Ammarpad (talk) 15:58, 17 March 2021 (UTC)