Invalidating all Admin Passwords in Magento

Published: November 19, 2018


If you’re dealing with a Magento site that has experienced a breach, it’s a good idea to reset all admin user passwords.

The easiest way to do this is to run a direct SQL query to update the password column in the admin_user table to gibberish.

UPDATE admin_user SET password = '--------';

No string will hash to this value, so essentially all the accounts will be locked at this point.

Next, each user must go through the admin password reset workflow to reset their password.

Magento 2's password reset screen.

Magento brought the Enterprise_Pcimodule into community in Magento 2, so users will not be able to re-use their old passwords. Unfortunately, if you’re still running Magento 1 CE you’ll have to instruct users not to re-use their passwords and pray that they listen.

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

If you'd like to get in touch with me the best way is on Twitter.