Introduction
I recently solved a fun puzzle that I thought I'd share here so that I don't have to go figure it out again - How do you change the username and password for Drupal's magical all-powerful User 1 when you don't have SSH access to use Drush, and you don't have access to the User 1 email?
Background for those new to Drupal
User 1 is the master administrator account that bypasses the entire permissions system for a Drupal site. Normally, a user has a user role assigned to them that defines what actions they are allowed to perform on the site. There are three built in user roles that come with Drupal: anonymous, authenticated and administrator. An anonymous user is someone without a registered account. Usually, they are allowed to view content on the site, but that's about it. When someone logs in, they are assigned the 'authenticated' user role. Perhaps now they are allowed to not only view content, but also leave comments on it. If they are given an administrator account, usually that means they can create content, administer users and other such things. You can also create custom user roles - for example, you could create a "VIP" user role that one must pay a monthly membership fee to obtain which allows access to special premium content.
The Drupal permissions system is what makes all this possible. I assign certain "permissions" to certain "user roles" so that when someone is assigned that user role, they are allowed to perform the actions I have assigned. For example, there is a permission specifically for creating basic pages. If I assign this permission to the authenticated user role, then any user who is logged in can create a basic page.
However, User 1 is a special user - the first user - who is created when Drupal is first installed. This is also called the site maintenance account. They are above even the administrator user role, and this godlike user is essentially assigned every permission because they skip the permissions system entirely.
The Puzzle
I was working on setting up a Drupal site for a client where they provided me with a database and zipped folder of code. They wanted it to be updated to the latest version of Drupal 7 and put on a new server. Unfortunately, they did not have access to the email associated with User 1 because someone else (long vanished) had built it for them, and they didn't have the username or password associated with it. I also didn't have the SSH credentials for the server, so I couldn't use Drush.
The Solution
Well, I did have access to the database in phpMyAdmin through cPanel. So, I browsed over to the "users" table and located the entry with "uid" set to 1. Uid stands for user id, and every user account on a Drupal site has a unique user id. Here I had access to the unique user name, the email, and the password. Here, I could have changed the email address to mine, but I was also curious to see if I could change the password directly here. Of course Drupal 7 passwords are stored as a hash rather than plain text. It turns out that there is a script included in Drupal 7 Core that allows you to encode a new password from the terminal.
First, download Drupal Core and open up your command line. Change directory to the top level of the Drupal Core folder. Then, run the following command:
./scripts/password-hash.sh "yournewpassword"This will output an encoded password for you.
password: yournewpassword hash: blahblahblahblahkksdflksdjfoiekccj324u98fu9Then, you can take the generated hash, shine it up real nice (just kidding), copy it, and double click the password field for your user 1 entry in the users table in phpMyAdmin and paste it in. Now, you can login to your Drupal site with the plain text version of your password as typed above: "yournewpasword". You would use whatever username is stored in the users table under user 1 with it - incidentally you can change this in phpMyAdmin too in the same way - literally double click the field and edit away.
Lesson Learned
Keep your database backups in a secure place and only give them to people you trust. You can get the user 1 email and user name out of there easily. Also, only give out your phpMyAdmin credentials to people you trust. It's easy to reset the User 1 password there too, and then you can do anything you want. Luckily, all I wanted to do was run the update.php script.