How to Reset a Lost Cassandra Superuser Password

September 5, 2025

How to Reset a Lost Cassandra Superuser Password

September 5, 2025
How to Reset a Lost Cassandra Superuser Password

If you ended up on this page, you probably googled “How to Restore a lost superuser password for Cassandra“. Well, there are good news and bad news.

  • Bad news: you can’t restore the password
  • Good news: you can easily reset it and get your access back

The process of resetting the password differs slightly, depending on the version of Cassandra you are running.

Why Versions Matter

  1. Older versions (≤2.x, early 3.x): Credentials are stored in the system_auth.credentials table.
  2. Newer versions (3.11, 4.x, and later): Authentication was redesigned, and credentials now live in the system_auth.roles table.

The recovery method is the same in principle - temporarily disable authentication, update the password hash in the right system table, and re-enable authentication - but the target table differs.

Step 1: Switch to AllowAllAuthenticator

This step can be done on a single node only, you don’t need to do it on every node in the cluster.

  1. Open cassandra.yaml.
  2. Find the line:  
1authenticator: PasswordAuthenticator

    3. Change it to:  

1authenticator: AllowAllAuthenticator

    4. Restart Cassandra so you can connect without authentication.

Step 2: Recovery for Older Versions (2.x – early 3.x)

  1. Connect with cqlsh (no password needed because auth is disabled).
  2. Run the following CQL to update the password:
1UPDATE system_auth.credentials
2SET salted_hash = '<new_hash>'
3WHERE username = 'my_super_user';

Generating the Hash

Cassandra uses a salted hash (bcrypt). To generate one, you can use Python:

1pip install bcrypt

1import bcrypt
2password = b"MyNewSecurePassword"
3salt = bcrypt.gensalt()
4print(bcrypt.hashpw(password, salt).decode())

Copy the output string and use it as <new_hash>.

  1. Restore cassandra.yaml back to:
1authenticator: PasswordAuthenticator
  1. Restart Cassandra.
  2. Log in with the new password:
  3. cqlsh -u my_super_user -p MyNewSecurePassword

Recovery for Newer Versions (3.11+ and 4.x)

  1. Connect with cqlsh.
  2. Update the system_auth.roles table:
1UPDATE system_auth.roles
2SET salted_hash = '<new_hash>'
3WHERE role = 'my_super_user';

Generating the Hash

Same process as above using bcrypt in Python.

  1. Revert authenticator back to PasswordAuthenticator and restart.
  2. Test the new password.

Important Notes

  • Replication of system_auth: Ensure system_auth keyspace has a proper replication factor across your cluster. If only one node stores the updated hash and it goes down, you’ll lose access again.
  • Audit & Rotate: After regaining access, audit your roles and rotate credentials.
  • Don’t leave AllowAllAuthenticator enabled: Always revert after recovery.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to Transform 

Your Business?