Password reset

5 February 2018 | 10 views | Tags: Documentation, Security

You can change your password by clicking on the 'Password' link in the admin section of Tuskfish. You must be logged in to access this page.

Unlike most other systems, Tuskfish does not allow passwords to be reset via email. This is a security measure to protect your site from being compromised if someone gains control of your email account. An alternative, safer, means is provided.

To reset your password from outside of Tuskfish you must demonstrate control of both the file system and database, using a script provided for this purpose. You will need to be able to view and edit your database as part of this process (see the section on manually editing your SQLite database). Essentially you need to generate a hash for your new password and replace the old one in the database:

  • Download the file trust_path/extras/utilities/password-recovery.php to your local machine and open it in a text editor. Refer to the 'Configuration' section at the top of the script.
//////////////////// CONFIGURATION ////////////////////
/**
 * Enter the new password you want to use. Good practices are:
 * 1. More than 15 characters long.
 * 2. At least one upper and lower case letter, number and symbol (!@#$%^& etc).
 */
$new_password = "";

/**
 * Enter your site salt here. You will find it in the file below:
 * trust_path/libraries/tuskfish/configuration/config.php
 */
$site_salt = "";

/**
 * Enter your user salt below. You will find it in the 'user' table in your database. You can
 * browse your database using the excelent phpLiteAdmin tool, please see the user manual for how to
 * set it up. You can get phpLiteAdmin from https://www.phpliteadmin.org/
 */
$user_salt = "";
  • Enter your new password, your user salt (found in the 'user' table of your database, in your account record) and the site salt (found in the file trust_path/libraries/tuskfish/configuration/config.php.
  • Place the script on a webserver and run it. The hash of your new password will be displayed on screen. Make a copy of it.
  • Delete the password recovery script immediately!
  • Browse the 'user' table of your database with PHPLiteAdmin, edit your admin account record and update the password_hash field with the new hash.

You should now be able to login to your site using the new password.

For security reasons, obviously you should run the password recovery script on a local webserver rather than on your website. If you run it on a public-facing webserver (bad idea), you should destroy the file immediately so that nobody can access the new password hash. If you do run it on a public webserver, please reset your password a second time in the admin section once you have logged in.

Copyright, all rights reserved.

Related

Tuskfish CMS User Manual

The user manual provides a comprehensive guide to Tuskfish CMS operations. It covers all all aspects from installation to adding and curating content, managing site security and customisation of themes. For additional information on how to customise Tuskfish please see the developer guide.