Okay, this this relates to my recent post on password hashing in Sitecore, and why we should move away from SHA1. Let’s say you’ve decided to use SHA512 for a brand new instance like Sitecore recommend…
When you create a new website, you must change the weak default hash algorithm (SHA1) that is used to encrypt user passwords to a stronger algorithm.
To change the hash algorithm:
- Open the web.config file and in the node, set the hashAlgorithmType setting to the appropriate value. We recommend SHA512.
Okay, funky, but how do I make the existing admin’s password work?
- Log in to Sitecore, change the setting in the web config, and when your site reloads, quickly change your password before the session expires.
- Run the following SQL in your CORE/Security database to set the password:
set [Password] = 'K8N8GUW8UiNT2mPdjvuBDH+QmvA3R61M9buVvCwFHwtDjpMzTxs34lg0uQ0azCITqh6FkUZlX4kM72lsAyuyXQ=='
where [UserId] = '4342515E-2BF6-4480-91CE-A2D9ACE502A8'
and [PasswordSalt] = 'p5B6HOWKt0ctMZaSNXTlfw=='
This should set the Admin’s password to ‘b’. Obviously, you should then change that to a secure password or passphrase.
Update: For Sitecore 9.0.1, this will need to be:
Update [aspnet_Membership] set [Password] = '2hwfEqtM7gDFekQaV/IOkog5DFmxRtywvUsRJqRf7j82Ns3pUkiu/WohjLk8mIV2+7MjXdMeO9MgAUjildTLtg==', [PasswordSalt] = 'ETJOU1+PX4CwEOw/eN3F6Q==' where [UserId] = '68FFFAA2-1FFE-4006-B661-A8B6B80C81DE'
It seems that the Powershell scripts set a different password and salt for different instances.
This is a lot like how I suggested fixing lock admins before. Note that user ids and password salts seem to change across Sitecore versions; this matched a couple of my Sitecore 8.2 (update 4 and 5) instances, but is a different user id and salt to what worked for my Sitecore 7.5 instances. You may need to check the aspnet_Users table to find your Admin user’s user ID.
4 thoughts on “Reset your Sitecore Admin password to ‘b’ when using SHA512 hashing”
In your original article, you’re setting the PasswordSalt in the update statement, but here you’re querying for it. Shouldn’t the PasswordSalt be updated as well in this query?
As long as the Salt and Password are kept in-step, it doesn’t matter which way you do it. To be honest, I hadn’t noticed.
Thanks Andy! This helped immensely!
[…] works and must be reset. Now, resetting the password is an easy task, one that Andy Burns details in this post. But say that you don’t like extra steps and want this all to be taken care of during the […]