Getting locked out of your own Craft CMS dashboard is a frustrating experience that every developer faces eventually. Whether you've inherited a legacy project without credentials, your local environment's mail server isn't configured, or you've simply forgotten a complex password, you need a way back in that doesn't rely on the 'Forgot Password' email link.
In this guide, you will learn multiple ways to reset a Craft CMS admin password. We will cover the modern CLI approach, the direct MySQL database method, and how to troubleshoot common session issues that might prevent you from logging in even after a password change.
The Preferred Method: Using the Craft CLI
If you have SSH access to your server or are working on a local development environment, the absolute best way to reset a password is through the Craft command-line interface (CLI). This method is safer than manual database edits because Craft handles the hashing, salts, and validation logic for you.
To reset a user's password, navigate to your project root in your terminal and run the following command:
php craft users/set-password username --password your-new-password
Replace username with the actual username of the account you are trying to access and your-new-password with your desired new password. If the operation is successful, Craft will update the record in the database immediately, and you can log in through the browser.
Resetting the Password Directly via MySQL
Sometimes, you might find yourself in a situation where the CLI is unavailable, but you have access to a database management tool like Sequel Ace, TablePlus, or phpMyAdmin. In these cases, you can modify the users table directly.
Craft CMS stores user data in a table typically named users (or craft_users if you used the default prefix during installation). The password itself is stored as a Blowfish hash. Because you cannot simply type a plain-text password into the database, you must provide a pre-hashed string.
Using Pre-Generated Hashes
If you need a quick fix, you can use one of the following pre-generated hashes. These hashes are compatible with Craft CMS 2, 3, 4, and 5, as the core hashing algorithm has remained consistent.
| Desired Password | Resulting Hash to Paste into MySQL |
|---|---|
| password | $2y$13$i1fEVeKiboWR/Hx07N9JtuSZj46KNueAg0IgpwL2TId0sXN.oyibC |
| admin | $2y$13$Nlvh.kEu8FLIITusfjzQgOIIDryqLnJ3TsV/1UINRCFLfVnjJtILK |
| NewPassword | $2y$13$YA.7RIgllODUDcmQPf/.FuXjOmKJYot5QxpFhhf4og9fdJWsIPWK6 |
The SQL Update Command
To apply the change, run the following SQL query in your database console:
UPDATE users
SET password = '$2y$13$i1fEVeKiboWR/Hx07N9JtuSZj46KNueAg0IgpwL2TId0sXN.oyibC'
WHERE username = 'your_admin_username';
After running this, your password will be set to password. Important: Log in immediately and change this to a secure, unique password via the Craft Control Panel.
Generating a Custom Hash with PHP
If you prefer not to use a pre-generated hash for security reasons, you can generate your own using a simple PHP script. Craft CMS utilizes Yii’s security helpers, which wrap the standard PHP password_hash function using the Blowfish algorithm.
You can generate a compatible hash with this one-liner in a PHP environment:
echo password_hash('your_secret_password', PASSWORD_DEFAULT, ['cost' => 13]);
The cost parameter is important. Craft defaults to a cost of 13 for its Blowfish hashes. Using a different cost may still work, but matching the default ensures consistency with Craft's internal security settings.
Troubleshooting: Why You Still Can't Log In
You've updated the database, you're certain the password is correct, but the login page just refreshes or throws an error. This is a common hurdle, especially in local development environments.
Session and IP Validation
Craft CMS has strict security settings regarding user sessions. By default, it validates the user's IP address and User Agent string. If you are running Craft locally via a socket or a proxy, your IP might appear to change or be inconsistent, causing Craft to invalidate the session immediately after a successful login.
To fix this, open your config/general.php file and add the following setting:
return [
'*' => [
'requireUserAgentAndIpForSession' => false,
// ... other settings
],
];
This tells Craft to be less strict about session validation, which is often necessary for local development environments using tools like Laravel Valet, Docker, or DDEV.
Frequently Asked Questions
What is the default table name for users in Craft CMS?
By default, the table is named users. However, many installations use a table prefix defined in the .env file (e.g., CRAFT_DB_TABLE_PREFIX=craft_). In that case, look for craft_users.
Does resetting the password in MySQL clear the 'locked' status?
If a user account is locked due to too many failed login attempts, simply changing the password in the database might not be enough. You may also need to find the lockoutDate column in the users table for that specific user and set it to NULL.
Can I use this method for Craft CMS 5?
Yes. While Craft 5 introduced many new features, the underlying authentication and password hashing mechanisms remain compatible with the Blowfish/PHP password_hash standards used in previous versions.
Key Takeaways
Resetting your Craft CMS password doesn't have to be a stressful ordeal. Here is the hierarchy of methods you should follow:
- Use the CLI: It is the fastest and most reliable method. Use
php craft users/set-password. - Use MySQL: If the CLI is unavailable, update the
passwordcolumn in theuserstable with a pre-generated Blowfish hash. - Check Configs: If you still can't log in, disable IP session validation in
general.phpusing therequireUserAgentAndIpForSessionsetting.
By understanding how Craft handles security and user data, you can maintain control over your CMS even when the standard recovery tools aren't an option.
