forgot my password, so…

Posted on January 10, 2009 by Slava

I forgot my admin password on wordpress. I know, it is silly, but I reset it to something and then promptly forgot.What followed, was a sad comedy of errors and a small ode to open source. For long version, see below:

No matter, I thought, surely wordpress uses the database password() function and I could just get a new password hash, insert it into the DB, and be good again. To PhpMyAdmin we go… and Wrong! WordPress does not use the function, probably with good reason.

Ok… what now? How about I reverse-engineer the hash function, include a call to it in one of theme designs and get a new hash in whatever way the hash is computed. Then, I can insert it into the database… Yeah – in what other ways could I try to scratch my left ear with my right foot?

Finally I remember something painfully obvious – I do not need to hash anything, just return “true” from some function called checkPassword or VerifyPassword – there is always one somewhere. Indeed, CheckPassword() function does this:
function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);

return $hash == $stored_hash;
}

comment out the last line and replace it with return true;

Now, just save the file, reload the page, and  login with a random password. Change the password to something I think I will remember, and change the code back…

And this is why I host my own instance of wordpress :)

This entry was posted in Web and tagged , . Bookmark the permalink.