php - How to reset OpenCart 2+ administrative password?


Apparently the new (v2) OpenCart's password encryption scheme is not a simple md5 hash. I attempted to search the net for a way to reset the admin password after I changed hosts for my OpenCart installtion but could not find anything.

Thank you.




If you just need to regain access, and change your password then you can do so pretty easily. Opensystem/library/user.php (system/library/cart/user.php in later versions) and find the line beginning

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username = 

Before theWHERE put a# changing it to

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user #WHERE username = 

and save. This allows you to log in using the first account (usually the default admin account) without any user and password. As soon as you do, reverse this and save again. You'll still be logged in and can edit the user data editing the password as you wish





The only way to reset the administrativepassword is modifying the password column inoc_user viaphpMyAdmin, something like hunting the silk road or either by changing thepassword column viaMySQL command prompt. You cannot generate new Salt & Hashing withMySQL command prompt as explained at the end. Follow these below steps:

Navigate tooc_user table and look for columns with name password & salt and change the values for the desireduser_id

password: d1c194daffb03fc2653027c87f76a12a4eaeac5f

salt: x3x6r693j

This combination of string or hash changes/alters the administrative password to “password” (without the quotes) for the desired user. This method might create a minor security risk as the salt will be a publicly known data, which is published here.

Click “Go”. It will change your password to password. Now, log into the OpenCart Admin ( Dashboard with your existing username and the new password.

Username: < Existing Username >

Password: password

By knowing your user_id, all the above steps are done from one command:

update `oc_user` set `password` = sha1( concat(`salt`, sha1( concat(`salt`, sha1('password'))))) where user_id = 1


The password was encrypted with the randomised salt

sha1($salt . sha1($salt . sha1($password)))

The above method is used to encrypt the password from the file admin/model/user/user.php

SELECT SHA1( CONCAT( salt, SHA1( CONCAT( salt, SHA1(  'password' ) ) ) ) ) 
FROM oc_user
WHERE user_id =1
LIMIT 0 , 30

Results: d1c194daffb03fc2653027c87f76a12a4eaeac5f

For Salt:

$salt = substr(md5(uniqid(rand(), true)), 0, 9)

uniqid(),password_hash andpassword_verify are purely PHP functions. They have nothing to do with MySQL

password_hash does not use the MD5 algorithm for hashing you password. md5 and password_hash() produce two different lengths

Navigate to Tool: OpenCart 2.0+ User Password Reset Generator you can specify your New Password and Salt




For login admin password 0ZReKeFZM75Y set indatabase > oc_user

password 0c7a864c5a737f08f001f3123849ba5e03af3d06

and salt HYSQS59P9

to admin user row.




Password is stored by OpenCart (fromadmin/model/user/user.php) as

sha1($salt . sha1($salt . sha1($data['password'])))

Assuming you have DB access you can retrieve the salt as

SELECT salt FROM your_db.oc_user WHERE username='your_username';

Then generate the new hash, e.g. in bash ($SALT being the result of the previous command) :

echo -n $SALT$(echo -n $SALT$(echo -n "newpassword" | sha1sum|cut -d' ' -f1 )|sha1sum|cut -d' ' -f1)|sha1sum

Finally, update the DB with this new hash :

UPDATAE your_db.oc_user SET password='newhash' WHERE username='your_username';

Then log in with the new password.




You can generate a new password using the script below:

  $salt = 'pMiPpQ7N4';   //salt, update user.salt with this
  $password = 'test123'; //actual password

  //update user.password with this
  echo sha1($salt . sha1($salt . sha1($password))); 



Assuming you have access to the php files, open file system/library/cart/user.php in a text editor and change line 40, the 1st line of method login(), from:

$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username = '" . $this->db->escape($username) . "' AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))) OR password = '" . $this->db->escape(md5($password)) . "') AND status = '1'");


$user_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "user WHERE username = '" . $this->db->escape($username) . "' AND status = '1'");

This removes the password check,so you will always be logged in regardless the password you entered. After you are logged in, immediately change this line back as it will allow anybody to login under any user account, then change your password under "Users - Users - Edit".

People are also looking for solutions to the problem: javascript - How to get "this" variable mixing php and jQuery?


Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.