Invalidating all Admin Passwords in Magento
Published: November 19, 2018
If you’re dealing with a Magento site that has experienced a breach, it’s a good idea to reset all admin user passwords.
The easiest way to do this is to run a direct SQL query to update the password
column in the admin_user
table to gibberish.
UPDATE admin_user SET password = '--------';
No string will hash to this value, so essentially all the accounts will be locked at this point.
Next, each user must go through the admin password reset workflow to reset their password.
Magento brought the Enterprise_Pci
module into community in Magento 2, so users will not be able to re-use their old passwords. Unfortunately, if you’re still running Magento 1 CE you’ll have to instruct users not to re-use their passwords and pray that they listen.