NOTE: This technique is designed for those who have a working knowledge of editing PHP files and using an FTP server, and is intended as an emergency-only solution.

Concrete 5.7x uses a different approach to generating hashed password values, so password recovery techniques used for version 5.6x and prior won't work (with the exception of accessing mail server logs, provided you have such access). In order to reset a password using a technique that bypasses the standard reset options (e.g. the "Forgot Password" link on the login page), we need to use a page that is wired up with the appropriate classes that make our job easier and that utilize the new hash method. This guide uses the login.php page as its container page because this page that is always available to users who have not logged in, whether a public site or a members-only site.

This approach will help you recover your site access in the event you can't remember and recover your password, such as when your site's mail server isn't sending the password reset emails. In fact, this solution can help you reset a password for any known user ID, if needed, so it's understandably dangerous in the wrong hands. You will need file-level, read/write access on the host server using FTP to implement this solution.

**IMPORTANT - Remember to remove this code from your login.php page immediately after gaining site access to prevent unauthorized access or viewing of your credentials, and to prevent repeat password resets.**

**Summary of Steps:**
----------------------------------------

Modify the login.php page to execute code to reset the specified user ID. You will want to use the override technique to make this change so you don't change the core files.

Change the two variable values in the script that identify the target known user ID and the new password.

Upload the changed file to your site's override folder location.

Using a browser, open the site's login page, which will immediately execute the password reset code.

Verify site access for the user by logging in to your site using the reset credentials.

Delete the override file or remove the inserted code if modifying an existing override file and verify the login.php page works without displaying any password reset message.


**Detailed steps:**
----------------------------------------
To begin, using your preferred FTP client, you will want to locate the current login.php page being used on your site. First, check your override folder named /application/single_pages/ and if you find a login.php file there you will want to download and modify this file (the override version filename, if it exists, will be "/application/single_pages/login.php"). If you don't find the login.php file in the overrides folder, then download the core login.php page found in /concrete/single_pages/ folder (the core filename is "/concrete/single_pages/login.php"). For the less technical users, I strongly suggest you make a copy of this file and store it safely, should you need to revert to the original.

Open the downloaded login.php file in your preferred editor, then copy the code below from the "== Start password reset ==" line to "== Finish password reset ==" line and insert the copied code immediately below the opening ?php tag found on the first line of the login.php file:



Locate the line that reads "$reset_userID = 1" and modify the "1" value in the script, if needed, to match the User ID you wish to change. The default value is "1" which represents the default "admin" user created during a standard Concrete5 installation.

Modify the value in the script for the variable named "$new_password = " to contain the desired password. The default value is "1234" and whatever value you enter should be a string, so remember to enclose it in single quotes (e.g. $new_password = '1234') . A null password or an empty string, including just spaces, is not allowed and will generate an error when the script executes.

Save the modified login.php file and upload it to your website server and place the file in the overrides folder named **/application/single_pages** (filename and location will be "/application/single_pages/login.php").

Open your site's login page:http://[site_domain]/index.php/login...
This will immediately execute the password reset script, and if successful you will see a notification to that effect. Any indicated error will require you to change the script and re-upload the login.php file and then re-open the login page.

Possible error messages:
The script will display an error if you enter an invalid User ID. Enter a valid User ID > 0. Remember, the default "admin" user has a User ID of **1**.
The script will display an error if you enter an empty string for the password ("" or ''), or if you only enter one or more spaces, or if you assign a null value to the password. Use a simple password, then once you gain site access, use the change password feature available in the User section of the Dashboard to create a more secure password.

If you receive a successful message, verify you can login using the username and password indicated on the page.

Assuming you are now able to login, its time to reverse your changes. If you downloaded and edited a login.php file found in your overrides folder, then remember to immediately remove the code you pasted into the original login.php page, and re-upload the cleaned file to your overrides folder (overwrite the file found at "/application/single_pages/login.php"). If you downloaded the login.php from the core folder, then simply delete the file you uploaded into the overrides folder (delete the file named "/application/single_pages/login.php").

After making this final change to remove the password reset code, please verify that your login page displays without showing any password reset messages.

Thanks worked for me!

This works great! Thank you so much for creating this.

Are you able to help me? I tried to use this method because I'm not getting the password reset email. I saved the original login.php file. Apparently, I didn't revise the login.php file properly, because the password never reset, plus the entire code block was showing on my login page. I then uploaded the original file, but the entire code block is still showing on my login page. I looked at the original file that is now uploaded, and it's correct-it doesn't have the password reset code in it, but the code is still displaying. If you could help. I'd greatly appreciate it. Meanwhile, I'll post this as a regulary forum issue. Thank you.

I know this is an old post, but there is a quite straightforward way to reset your password assuming you can access the backend database.

If you request a password reset, then it writes an entry into the 'Logs' table in the database.

Within the specific log entry for the password reset is a link to the reset page. Copy this, input it into your browser and reset your password.

Hope that makes someone's life easier.

Thanks!! This is easy and works.

Thanks very helpful and got me out of a tight spot!