Skip to content
Module to invalidate all admin passwords on Magento 2
PHP Shell HTML
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.travis
Console
Model
Test/Integration
etc
view/adminhtml/email
.travis.yml
LICENSE
README.md
composer.json
registration.php

README.md

Magento2_SomethingDigital_InvalidateAdminPasswords

Build Status

A tool to invalidate all Magento admin user passwords

Why

If you're dealing with a Magento site that has experienced a breach, it's a good idea to reset all admin user passwords.

Usage

This module adds a new bin/magento command, sd:invalidate-admin-passwords:invalidate

$ php bin/magento sd:invalidate-admin-passwords:invalidate -h
Description:
  Invalidate admin passwords

Usage:
  sd:invalidate-admin-passwords:invalidate

Options:
  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

As the action is quite destructive (as expected) you'll be asked to confirm before the command runs.

Configuration

Settings

Settings are available via the Magento admin panel under Stores > Configuration > Advanced > Admin > Admin User Emails.

  • Send Password Reset Required Email If set to "Yes" invalidating admin user passwords will also trigger an email to each admin user informing them that their password must be reset
  • Password Reset Required Template The email template that will be sent to each user.
  • Clear MSP Two Factor Auth If set to "Yes" invalidating admin user passwords will also invalidate MSP 2FA user configuration. This is recommended as it's possible 2FA configuration may have been compromised (in addition to passwords)

Customizing The Email Template

The email template can be customized under Marketing > Communications > Email Templates.

  1. Click Add New Template
  2. From the "Template" dropdown select "Password reset required" under SomethingDigital_InvalidateAdminPasswords
  3. Customize as desired

Next head back to Stores > Configuration > Advanced > Admin > Admin User Emails and point "Password Reset Required Template" to your newly customized template.

Clearing Active Admin Sessions

This module will not kick out admin users with active login sessions. As Magento uses the same storage for customer and admin sessions there is no great way to clear ONLY admin user sessions. If you'd like to kick out users with active login sessions the best option is to wipe all sessions.

Redis

Issue a FLUSHDB command to the Redis instance configured to store session data

Files

Delete rm -rf the session directory (typically var/session)

How It Works

The module uses the mechanics outlined in this blog post. All passwords are set to a string (SomethingDigital\InvalidateAdminPasswords\Model\Invalidator::INVALIDATED_PASSWORD_STRING) that no other string will hash to.

You can’t perform that action at this time.