-1

Possible Duplicates:
I Have md5 encrypted password, how to give the password to user when he uses “Forgot password”?
PHP:How to send the original password to the user when he clicks forgot password which is encrypted by using md5?

I do not know is it the right way to ask this question but I am implementing my own membership script in PHP and right now, I am stuck with the retrieving the MD5 codes from database. OK, I insert the user info to the database and because of the security issues I encrypted the password before saving it to database but my question is that when I try to create a forget your password stuff, how can I get the unencrypted password from the database. By the way I use MySQL and my question is not about inserting or retrieving data from database, I only ask how can I reverse the MD5 thing. Thanks in advance!

Community
  • 1
  • 1
makyol
  • 213
  • 8
  • 20

5 Answers5

6

You can't. MD5 hashes, or hashes in general, are not reversible. That's exactly the reason why you're using them in the first place to store passwords, because you do not want the responsibility of knowing the actual password.

Forgot password functionality is implemented by sending an email to the user with a one-time link he has to click on and letting him enter a new password.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • This is the best way of doing it. As a side note, you should salt your md5 hashes if the password is < 8 characters long because it is becoming easier to decode shorter md5 hashes. – reefine May 02 '11 at 23:48
  • @user You need to salt your passwords anyway, not just of they're short. Also, you shouldn't use MD5 anymore. – deceze May 02 '11 at 23:49
  • why do you mean by salt your passwords? and why should not i use MD5 anymore? – makyol May 02 '11 at 23:52
  • You can't. Except when you can. http://md5.gromweb.com/query/21232f297a57a5a743894a0e4a801fc3 – Tim Sylvester May 02 '11 at 23:53
  • @Jay Read this excellent article @Tim linked to: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html – deceze May 02 '11 at 23:54
  • @deceze that is very logical. thanks for your answer. but here I have another one. how can i make a unique one time link for each user to reset their password? – makyol May 02 '11 at 23:55
  • @Jay http://stackoverflow.com/search?q=how+to+generate+random+string+to+reset+password+%5Bphp%5D `do { /* generate random string */ } while (/* string exists in database */);` Then save it in a `password_reset_token` field or so for the user. – deceze May 03 '11 at 00:00
  • @Jay I met a hashed password the other day that was assaulted. – alex May 03 '11 at 00:00
  • @deceze thanks a lot. @alex is it sarcasm? – makyol May 03 '11 at 10:24
2

MD5 was intended to be one-way, but it's now thoroughly insecure. If you're actually serious about having any measure of security, rather than just going through the motions, you have some reading to do:

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

SHA512 vs. Blowfish and Bcrypt

http://codahale.com/how-to-safely-store-a-password/

Community
  • 1
  • 1
Tim Sylvester
  • 22,897
  • 2
  • 80
  • 94
1

Actually you don't get the password back ever again,

You hash the password entered and compare to the has in your database, thats how it works :) good luck

Ibu
  • 42,752
  • 13
  • 76
  • 103
  • if they match, then you have the correct password. md5 is not reversible meaning it is a one way ticket, so even if someone get a hold of your hash it will be very difficult to kknow what is the password – Ibu May 02 '11 at 23:43
1

MD5 is a one-way hash so reversing it wont work.

How you do it is performa comparison against what is stored for example: SQL for entering the user:

INSERT INTO `users` (`username`, `password`) VALUES ('$username', MD5('$password'));

This will mean that the password is stored as a hash. When someone tries to log in you do the same thing but in a select statement:

SELECT * FROM `users` WHERE `username` = '$username' AND `password` = MD5('$password');

If there's a result, then the user is authenticated, if there's more than 1 result, then you have fun :)

For the forgot password bit, you are better to set up a chain where the user's are emailed a code and a link. Where they can enter that code on the "password reset" page as well as a new password.

HTH

Adam Purdie
  • 502
  • 5
  • 14
0

There are various ways to deal with forgotten passwords, but figuring out the original password from an MD5 hash isn't really one of them.

For the record, however, you really shouldn't be using MD5 for this (or much of anything else related to security). MD5 is pretty badly broken -- unless there's absolutely no choice in the matter, switch to something else (oh, but you should also know that SHA-1 is only a little better than MD5).

Jerry Coffin
  • 476,176
  • 80
  • 629
  • 1,111