Possible Duplicate:
Is it possible to decrypt md5 hashes?
In my website, I'm using md5 encryption for the password. So it's saving in the encrypted form in the database. For doing the password recovery, how can I decrypt the encrypted password ??
Please Help :)
As others described quite well, you cannot easily 'decrypt' an MD5 hash.
I guess the best way to do your password recovery is like this:
A user can request password recovery by providing his email address (it should be unique so users can be identified by email address).
an email is sent to his address with a link containing a unique hash (which you have generated when sending the email and saved it to the db).
when the link is clicked by the user (and of course the unique hash is checked to be equal with the one in the db) you can show a form which lets them choose a different password.
Another route that some people use is to simply ask for the email address, generate a new password and send it to the user. The problem with this one is that someone who knows only your email address can request a password change. He won't know the new pass, and you will get it by email, but still it is very inconvenient for the user.
MD5 is a hash-based encryption. What that means, is that there is no way to get back the original value. You have created something that is a "checksum" of the original data. You can use the MD5 algorithm to encrypt something else, and then compare that to the MD5'd version of the data, but you can never get back the original.
It would be similar to me saying: 5 + 3 + 2 = 10. The original data is 5, 3, and 2. But the "hash" is 10. There is no way to get the original data from the hash, but if someone supplies the correct input ( 5, 3, 2 ), I can hash it, and confirm that it matches hash that I have on file, 10.
I think MD5 is a one way hashing algorithm. What that means is that once you encrypt it, the data cannot be decrypted. (I'm sure a good hacker will disagree though)
Anyways, for passwords you can save the encrypted version of the password in the database. When a user attempts to log in, encrypt the entered password using the same MD5 algorithm, and compare the encrypted version of the password against the encrypted password stored in the database.
Once you're comfortable with this approach, you can start looking at the concept of adding salt to the hashed password.
Also, there are other hashing algorithms than just MD5. If you're using .NET, there's a bunch in the framework, such as SHA512Managed. Each one has its trade offs, such as speed to hash, security, etc. Pick one that fixes your particular problem.
You can't decrypt a md5 password! The only way would be to brute force it! If you want to do password recovery make a random string witch will be sent to the user by email (or any other way) and set as a md5'd password... Just an idea
EDIT: Why would you encrypt a password to keep it safe if you can decrypt it? Makes no sense! -> You could the basically leave the password unencrypted!
It's not easy, but you're best bet would be to use a rainbow table as the MD5 has does have vulnerabilities.
There are several online versions, which you may or may not be able to trust (or work).
