Hello, To the point, i have user register form in my website. from it i save the user password with MD5 and store it in mysql. everything running properly. But, in case user forget their password, i make a mechanism that they have to fill in their username & email address, and the password will be sent to the email address specified. it has nothing problem, except, i dont know how to get the real password value from that encryption. My questions: 1. should i save the real value (not encrypted) in mysql, so i can use it in this case. but if so, what is the function of MD5 here. 2. Does anyone here has another good concept how to mentain user password in my website, so it is secure & can solve my problem, i mean, i can send to them the password in case user forget their password Best Regards
The best solution would be grant the user access to change their password provided link in their email with a generated token for verification. Such as forgot_password.php?hash=<md5 string> Storing a raw unencrypted password really defeats it's purpose. Unless you have an IQ of 500+ and found a way to reverse md5.
lol....i have poor IQ now, ...actually i still dont understand about the logic of the concept that you specified above, can you explain it further & maybe give me the script so i can use itu to solve the problem...thank's b4
What he means is: "The best solution would be grant the user access to change their password provided link in their email with a generated token for verification." once you store it in MD5 you cannot get the value back, that is the whole point of MD5... Unless you have an IQ of 500+ and found a way to reverse md5. Technically theoretically there exists a way to do it by testing collisions etc etc but its irrelevant So as he said, what you need to do is to allow the user to change his password instead if he forgot it... not recover , but change to a new one.
Yeah, thats what I meant, but you need to increase security by using a random md5(); string; $token = md5(time()); // Generate according to timestamp $token = md5(mt_rand()); // Randomly generate a string PHP: Then you put the string into a $_GET[] to check against the database.
There is a way to store a password in the database using a key which is required to decrypt the password. Please check out mcrypt_encrypt on php.net. Make sure the key is not known to the public.