4.5. Password and user recovery

This section describes how to recover from a lost password, specifically for an admin user, and how to recover an admin user if all the admin users have been unassigned the admin role.

It is recommended to block network connections during the recovery phase, so users should connect to Neo4j only via localhost. This can be achieved by editing the neo4j.conf file.

You can temporarily comment out the dbms.connectors.default_listen_address parameter:

#dbms.connectors.default_listen_address=<your_configuration>

or provide the specific localhost value:

dbms.connectors.default_listen_address=127.0.0.1

4.5.1. Recover a lost password

Use the following steps to set a new password (assuming your admin user is named neo4j):

  1. Stop Neo4j:

    $ bin/neo4j stop
  2. Disable the dbms.security.auth_enabled parameter by modifying the neo4j.conf file:

    dbms.security.auth_enabled=false
  3. Start Neo4j:

    $ bin/neo4j start
  4. Modify the admin user password using a client such as Cypher Shell, or the Neo4j Browser:

    • Connect to the system database via Cypher Shell, and modify the admin user password:

      $ bin/cypher-shell -d system
      
      neo4j@system> ALTER USER neo4j SET PASSWORD 'mynewpass';
      
      neo4j@system> :exit
    • Alternatively, you can run the following statement on the system database via another client, such as the Neo4j Browser:

      ALTER USER neo4j SET PASSWORD 'mynewpass';
  5. Stop Neo4j:

    $ bin/neo4j stop
  6. Enable the dbms.security.auth_enabled parameter by modifying the neo4j.conf file.

    You can achieve this either by commenting out dbms.security.auth_enabled (the default value is true), or by specifically setting dbms.security.auth_enabled to true:

    #dbms.security.auth_enabled=false

    or,

    dbms.security.auth_enabled=true
  7. Restart Neo4j:

    $ bin/neo4j start

4.5.2. Recover an unassigned admin role

If you have no user assigned to the admin role, you can grant an admin role to an existing user (assuming your existing user is named neo4j):

  1. Stop Neo4j:

    $ bin/neo4j stop
  2. Disable the dbms.security.auth_enabled parameter by modifying the neo4j.conf file:

    dbms.security.auth_enabled=false
  3. Start Neo4j:

    $ bin/neo4j start
  4. Grant the admin user role to an existing user using a client such as Cypher Shell, or the Neo4j Browser:

    • Connect to the system database via Cypher Shell, and grant the admin user role to an existing user:

      $ bin/cypher-shell -d system
      
      neo4j@system> GRANT admin TO neo4j;
      
      neo4j@system> :exit
    • Alternatively, you can run the following statement on the system database via another client, such as the Neo4j Browser:

      GRANT admin TO neo4j;
  5. Stop Neo4j:

    $ bin/neo4j stop
  6. Enable the dbms.security.auth_enabled parameter by modifying the neo4j.conf file.

    You can achieve this either by commenting out dbms.security.auth_enabled (the default value is true), or by specifically setting dbms.security.auth_enabled to true:

    #dbms.security.auth_enabled=false

    or,

    dbms.security.auth_enabled=true
  7. Restart Neo4j:

    $ bin/neo4j start