How to Reset a Lost Cassandra Superuser Password

If you ended up on this page, you probably googled “How to Restore a lost superuser password for Cassandra“. Well, there are good news and bad news.
- Bad news: you can’t restore the password
- Good news: you can easily reset it and get your access back
The process of resetting the password differs slightly, depending on the version of Cassandra you are running.
Why Versions Matter
- Older versions (≤2.x, early 3.x): Credentials are stored in the
system_auth.credentials
table. - Newer versions (3.11, 4.x, and later): Authentication was redesigned, and credentials now live in the
system_auth.roles
table.
The recovery method is the same in principle - temporarily disable authentication, update the password hash in the right system table, and re-enable authentication - but the target table differs.
Step 1: Switch to AllowAllAuthenticator
This step can be done on a single node only, you don’t need to do it on every node in the cluster.
Open cassandra.yaml.
Find the line:
1authenticator: PasswordAuthenticator
3. Change it to:
1authenticator: AllowAllAuthenticator
4. Restart Cassandra so you can connect without authentication.
Step 2: Recovery for Older Versions (2.x – early 3.x)
- Connect with
cqlsh
(no password needed because auth is disabled). - Run the following CQL to update the password:
1UPDATE system_auth.credentials
2SET salted_hash = '<new_hash>'
3WHERE username = 'my_super_user';
Generating the Hash
Cassandra uses a salted hash (bcrypt). To generate one, you can use Python:
1pip install bcrypt
1import bcrypt
2password = b"MyNewSecurePassword"
3salt = bcrypt.gensalt()
4print(bcrypt.hashpw(password, salt).decode())
Copy the output string and use it as <new_hash>
.
- Restore
cassandra.yaml
back to:
1authenticator: PasswordAuthenticator
- Restart Cassandra.
- Log in with the new password:
- cqlsh -u my_super_user -p MyNewSecurePassword
Recovery for Newer Versions (3.11+ and 4.x)
- Connect with
cqlsh
. - Update the
system_auth.roles
table:
1UPDATE system_auth.roles
2SET salted_hash = '<new_hash>'
3WHERE role = 'my_super_user';
Generating the Hash
Same process as above using bcrypt in Python.
- Revert authenticator back to
PasswordAuthenticator
and restart. - Test the new password.
Important Notes
- Replication of
system_auth
: Ensuresystem_auth
keyspace has a proper replication factor across your cluster. If only one node stores the updated hash and it goes down, you’ll lose access again. - Audit & Rotate: After regaining access, audit your roles and rotate credentials.
- Don’t leave
AllowAllAuthenticator
enabled: Always revert after recovery.