Invalidating all Admin Passwords in Magento
Published: November 19, 2018
If you’re dealing with a Magento site that has experienced a breach, it’s a good idea to reset all admin user passwords.
The easiest way to do this is to run a direct SQL query to update the
password column in the
admin_user table to gibberish.
UPDATE admin_user SET password = '--------';
No string will hash to this value, so essentially all the accounts will be locked at this point.
Next, each user must go through the admin password reset workflow to reset their password.
Magento brought the
Enterprise_Pcimodule into community in Magento 2, so users will not be able to re-use their old passwords. Unfortunately, if you’re still running Magento 1 CE you’ll have to instruct users not to re-use their passwords and pray that they listen.