Why do you need to intervene in GRUB?
As a system administrator, forgetting a password happens more often than you might think. I once took over a cluster of five Ubuntu 22.04 servers from a former colleague without a KeePass file. It felt like being locked out of my own house. On Ubuntu, the root account is usually locked by default, and we rely on sudo. If you lose this privilege, intervening in the bootloader is your only lifeline.
Don’t rush to reinstall the OS. This only wastes time and precious data. We will utilize GRUB (Grand Unified Bootloader) to put the system into a special state. This state allows editing system files without the old password. This is a vital survival skill for DevOps when handling onsite troubleshooting or via KVM/IPMI.
Preparing the recovery environment
You need physical access or a console interface (such as a VPS on DigitalOcean, Linode, or VMware). The process starts as follows:
- Restart the system: This is required to interrupt the normal boot process.
- Access the GRUB Menu:
- For machines using legacy BIOS: Hold the Shift key as soon as the machine turns on.
- For machines using UEFI (most new laptops/servers): Press the Esc key repeatedly after the manufacturer logo disappears.
If a blue or black screen with selection lines appears, you have succeeded. If the machine boots straight to the login screen, it means you pressed the key too slowly. Try again.
2 ways to reset your password safely and quickly
Depending on the system status, you can choose the “official” method or the deep kernel intervention method.
Method 1: Using Recovery Mode (For beginners)
This is the safest solution built directly into Ubuntu.
- At the GRUB menu, select Advanced options for Ubuntu and press Enter.
- Find the line ending with
(recovery mode), usually the second line, and press Enter. - When the Recovery Menu appears, select the line root – Drop to root shell prompt. Press Enter twice to confirm.
At this point, you have root privileges, but the hard drive is in Read-only mode. You cannot change the password without switching it to Read-Write mode. Type the command:
mount -o remount,rw /Then, proceed to reset the new password for your user:
passwd your_usernameThe system will ask you to enter the new password twice. Finally, type exit and select resume to enter Ubuntu.
Method 2: Editing Kernel parameters (When Recovery Mode is locked)
Many high-security systems will require a root password even when entering Recovery Mode. In this case, the boot parameter trick is your last resort.
- At the main GRUB menu, move to the first Ubuntu line and press the ‘e’ key.
- Find the line starting with the word
linux. It usually contains the stringro quiet splashat the end. - Delete that
ro quiet splashpart and replace it with:rw init=/bin/bash. - Press Ctrl + X or F10 to boot this temporary configuration.
The machine will boot directly into a shell prompt with root privileges without asking for anything. Since we added the rw parameter, the file system is ready for writing data. You just need to run:
passwd your_username
sync
reboot -fSecuring the system after recovery
After successfully logging in with the new password, you should review your security. The fact that anyone can reset the password via GRUB is a major physical security risk.
Blocking risks from GRUB
If the server is located in a public place, set a password for GRUB itself. This prevents unauthorized editing of boot parameters. Use the following command to create a password hash:
grub-mkpasswd-pbkdf2Additionally, consider using LUKS disk encryption. With LUKS, even if an attacker gains root shell access, they cannot read the data without the decryption key.
Checking login history
Check the logs to ensure no one else tampered with the machine while you were away:
tail -n 20 /var/log/auth.logIf you see a password changed line matching the time of your operation, the system is still secure. This technique is simple but extremely effective when facing “laughing through the tears” situations on Ubuntu.
