From MozillaWiki
Jump to: navigation, search

Resetting Bugzilla Passwords

I frequently forget my Bugzilla password at work because I rarely have to enter my password. If you haven't enabled Bugzilla to send email, as we haven't, here is at least one way you can reset your password without the use of email:

Modern Bugzilla (3.1.1 and newer)

Modern versions of Bugzilla encrypt the password locally before sending it to the database so it's not possible to encrypt the password in the database anymore as was done with older versions of Bugzilla.

checksetup.pl now provides a command line switch to allow you to reset a password from the command line. Run checksetup.pl --help to get the complete syntax.

        Resets the specified user's password. checksetup.pl will prompt you
        to enter a new password for the user.

Older Bugzillas (3.0.x and prior)


Disclaimer: Don't just copy and paste this code.

 $ mysql -D bugzilla -u bugzilla -p -e 'UPDATE profiles
 SET cryptpassword = ENCRYPT("passwordstring")
 WHERE login_name="email.address@example.com";'

You will have to modify the invocation of the mysql command to correlate to your own configuration. With the -p option, you will be prompted for a password. If you know Bugzilla connects to the database without a password, omit this option. Also of note is that you can use the MySQL administrative user (typically 'root') instead of the username created for Bugzilla.

The WHERE clause can also accept other criteria (I, for instance, always use WHERE userid=1.)

Be careful not to wipe everybody's passwords!

Avoid Inadvertently Saving Plaintext Passwords

SECURITY NOTICE typically, *nix shells save a history of commands you've entered on the commandline. This means that if you entered your new password literally, as in the example above, it will be saved in plain text to the disk. Also note that if you don't use the -e option, and instead enter your SQL from the mysql commandline client, the same outcome will typically result, just in ~/.mysql_history as opposed to, for example, ~/.bash_history. You may consider the srm or shred commands if you've already accidentally allowed this to happen and security is a concern. From bash you can clear your commandline history before it gets saved to disk by enter the command history -c before exiting the shell. Alternatively, you could use a clever command like the following:

 $ mysql -D bugzilla -u bugzilla -p -e 'UPDATE profiles
 SET cryptpassword = ENCRYPT("'`cat`'")
 WHERE login_name="email.address@example.com";'

With a command like this one, before being prompted for a password for the MySQL login (if you are using the -p option) you will have the opportunity to enter your password such that it will never be copied to your shell's command history. Be careful of entering characters which might be interpreted by MySQL (such as a quotation mark in this example) without proper escaping. Typically you terminate the password entry by sending one or two EOF characters, which is typically ^d on most *nix systems.