Get Django admin password

Question

I'm using Django (version 2.0) as a newbie and have forgotten the admin superuser password. I know that I can create another superuser and change the password of the previous superuser as well. But is there any procedure to know the RAW password of the previous superuser which I've forgotten?

Answer 1

By default, passwords are not stored in raw text in the Database, but hashed. It means that, given the hashing algorithm is a good one, and the gap theorem holds, except for enumerating all possible passwords, there is not much you can do to find out the password. A lot of hashing algorithms have some weaknesses, but typically this helps not much: it makes guessing for example sometimes 10 or 100 times faster, but still, it would take ages before you guess the correct one.

Hashing means that we thus have a function h which is considered to be a good hashing function, that transforms the password in some data, and that data is stored in the database. The same password should result in the same hashed data, and usually a small change in the in the input (password) results in a large change of the output (the data we store). A good hashing function has the property that it is not feasible to calculate the inverse: this means that there should not be straightforward way to calculate the input (password) based on the output (stored data), except by enumerating all possible input until the output of such "guess" eventually matches the hash. In case a user logs in, Django will first calculate the hash of the given password, and then check if it matches with the stored hash. If so, the login is successful, if not, the login fails.

An implication is that a (malicious) database manager can not see the passwords as well. Imagine that you use the same password for all your applications (not recommended anyway), if one of the servers stores the passwords as raw text, somebody with access to the database (a hacker, or a company employee) could see the passwords, and thus aim to use these credentials for other services (for example an email service). By hashing, the damage is typically more local (perhaps the hacker can steal user data, but not reuse the credentials to discover more data somewhere else).

Nevertheless, if you have access to the Django admin shell, you can simply change the password to a given one. Since Django has access to the database (well given you have provided the database password somewhere), it can simply overwrite the password field with a hashed version of the new password. Regardless what the old password is, thenn the new password will work.

You can do this by running:

python3 manage.py changepassword <username>

With <username> the name of the admin user.