Losing access to a Drupal administrator account can be a stressful experience, especially when you are working against a tight deadline. While the web interface is the standard way to manage credentials, there are times when you simply cannot log in to use it. This is where the power of the command line comes into play. If you have terminal access to your server, you can perform a Drupal change password Drush operation in seconds, bypassing the web UI entirely.
Drush (The Drupal Shell) is the Swiss Army knife for Drupal developers. Whether you are managing a single site or a massive multisite installation, knowing how to manipulate user accounts from the CLI is an essential skill. In this guide, we will walk through the specific commands for different Drush versions, explore the 'one-time login' alternative, and discuss security best practices for handling credentials in your terminal.
Resetting Passwords in Modern Drush (Versions 9, 10, 11, and 12)
For most modern Drupal installations (Drupal 8.4 and above), you will likely be using Drush 9 or a more recent version. The command structure in these versions follows a more standardized, colon-separated format, though aliases are still available for speed.
To change a user's password in modern Drush, use the following syntax:
drush user:password USERNAME "NEW_PASSWORD"
If you prefer shorter commands, you can use the upwd alias:
drush upwd USERNAME "NEW_PASSWORD"
For example, if you wanted to change the password for a user named bjenkins to SuperSecure123!, you would run:
drush user:password bjenkins "SuperSecure123!"
Important Note on Quoting
Always wrap your password in double quotes (""). This prevents the shell from misinterpreting special characters (like !, $, or &) which might otherwise trigger shell functions or variable expansions instead of being treated as part of the password string.
Legacy Support: Changing Passwords in Drush 8 and Older
If you are maintaining a legacy Drupal 7 site or an older Drupal 8 site using Drush 8, the syntax is slightly different. In these versions, the password is provided via a named option rather than a positional argument.
The command for Drush 8 and earlier is:
drush user-password USERNAME --password="NEW_PASSWORD"
Just like in newer versions, the alias upwd works here as well:
drush upwd USERNAME --password="NEW_PASSWORD"
If you are working with an extremely old environment using Drush 4, the command remains the same as Drush 8. It is vital to identify your Drush version by running drush --version before executing these commands to ensure you are using the correct syntax.
The One-Time Login Link (ULI) Method
Sometimes, you might not want to set a specific password manually. Perhaps you want to allow the user to choose their own password, or you simply need to get into the site quickly without storing a new string in your terminal history. In these cases, the user-login command (alias uli) is your best friend.
Running this command generates a unique, one-time URL that logs you into the site immediately as the specified user:
drush uli [username]
If you omit the username, Drush defaults to User 1 (the main administrator).
Advanced ULI Usage
If you are working on a local development environment (like DDEV, Lando, or a custom Docker setup), you can specify the base URL to ensure the link generated is clickable and correct:
drush uli -l http://localhost:8888
This is particularly helpful in multisite environments where Drush needs to know which specific domain's settings to load to generate a valid hash for the login link.
Using Drupal Console as an Alternative
While Drush is the most common tool, some teams use Drupal Console. If your environment is set up for it, you can reset a password using an interactive prompt. This can be safer because it avoids leaving the plain-text password in your bash history.
Run the following command:
drupal user:password:reset
You will then be prompted to enter the User ID (UID) or username, followed by the new password. This interactive method is excellent for preventing accidental shoulder-surfing or log file exposure.
Automating Password Changes and Notifications
In a professional workflow, you might need to notify a user that their password has been changed. Modern Drush allows you to trigger the standard Drupal notification email as part of the password reset process. To do this, simply append the --notify flag to your command:
drush user:password bjenkins "NewComplexPass123!" --notify
This will send the system-configured 'Account details' email to the user's registered email address, informing them of the update. This is highly recommended for security audits and ensuring users are aware of administrative changes to their accounts.
Frequently Asked Questions
How do I change the password if I don't know the username?
You can find the username by listing users via Drush first. Use drush user:list to see a table of all registered users, their UIDs, and their email addresses. Once you identify the correct username, you can proceed with the upwd command.
Does Drush work for password resets on a Multisite installation?
Yes, but you must specify the site you are targeting. Use the --uri flag so Drush knows which database to connect to. For example: drush --uri=subsite.example.com upwd admin "newpassword".
Why does my terminal say 'Command user:password not found'?
This usually happens for two reasons: either you are in the wrong directory (you must be inside the Drupal root or a site subdirectory), or your Drush version is incompatible with the Drupal version. Ensure you have run composer install and that you are using the site-local Drush located at ./vendor/bin/drush.
Wrapping Up
Managing user access via the command line is a core competency for any Drupal developer. Whether you use the direct user:password command for speed or the uli command for a more flexible login experience, Drush provides all the tools necessary to maintain site security and accessibility.
Key Takeaways:
- Drush 9+: Use drush upwd username "password".
- Drush 8: Use drush upwd username --password="password".
- Safety First: Use drush uli to generate a secure, one-time link instead of setting a manual password.
- Clean History: Remember that passwords typed directly into the terminal may be saved in your .bash_history or .zsh_history. Clear your history or use interactive prompts if you are working on a shared machine.
