Invalidating all Admin Passwords in Magento

Published: November 19, 2018

If you’re dealing with a Magento site that has experienced a breach, it’s a good idea to reset all admin user passwords.

The easiest way to do this is to run a direct SQL query to update the password column in the admin_user table to gibberish.

UPDATE admin_user SET password = '--------';

No string will hash to this value, so essentially all the accounts will be locked at this point.

Next, each user must go through the admin password reset workflow to reset their password.

Magento 2's password reset screen.

Magento brought the Enterprise_Pcimodule into community in Magento 2, so users will not be able to re-use their old passwords. Unfortunately, if you’re still running Magento 1 CE you’ll have to instruct users not to re-use their passwords and pray that they listen.

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.