Hi, I am storing my users passwords in a database using md5, however I want users to be able to see their passwords. And since md5 is a "one way" encryption, how do I do this? I have seen websites be able to do it, do they not encrypt their users passwords?
Correct, you can't decrypt md5 (under normal circumstances). They could have their users passwords unencrypted, or be using a two-way proprietary encrytption method.
Ok, thanks For now I will just stick with md5, maybe later I will write a little encryption function that can be decrypted
As much as it seems great to show a user their password there are numerous security reasons not to. What happens if someone gets a hold of the users cookie? Well now they can just grab the password since it is given to them in a profile area or something of that nature. Also when changing crucial information such as a password the person doesn't even need to know the current password now since it's basically given to them. I'd stick with a md5 and no decryption for user convience on their password. If they forget their password just have a forgot password option so they can generate a new one. Saves the whole security problem all together.
I agree with the above post. MD5 is one way because one way is better and safer. It's best to just provide a method of changing the password.
same here. You can send them an email with all details including the password at the time of registration if it makes you feel better so they could save it for later.
Yeah, like the others said I wouldn't use 2 way encryption. Stick to hashes, in fact, use more than one if you can to help avoid the rainbow crack methods. Can't hurt, jurt in case your DB is compromised, but your PHP isn't.
sure... he could. but is base64 secure? not in the least... i would recommend a sha1 hash. especially in a database environment.
If he use it a hash word yes. He wanna show passwords to users.. it's not secure. not base64 if you encrypt the pass. with base64 and using a hash on this encrypted data. no one dencrypt that easily if don't know the hash
what you do if the user forgot password just reset the password and do a md5 and then update your database. send an email to user of new password.
changing a password is best done with a two step process. The first is the user requesting that the password be changed. When that happens the table with the password should be updated so there's a field with a unique id. That unique id should be e-mailed as part of a link to a password change page. http://www.mypage.com/pw.php?uid=343421efbd459 Or whatever. The second step: When the user goes to the page you just check the uid to get the user id that is requesting the password change. The user can then enter in the new password and the table is updated. UPDATE accounts SET password = MD5($new_password), uid = "" WHERE uid = $uid AND length(uid) > 5 The e-mail step makes sure that malicious users can't force a password reset. The update query takes care of making sure a user can't update their password without making another request.
You should continue using md5 or some other "one-way" encryption algorithm. If your users forget their passwords, use must request the email address they used when signing up for the service. If such an email is found within the databases, create a function to generate a six letter temporary password, encrypt such password, and enter it on the database associated with the email address entered. Then send an email to the email address stating that the password has been changed. Only the owner of the email address, knowing the password to access the email, will receive the new temporary password. This allows for an extra level of security.
or write your own simple xor cipher .... <? function cipher( $text, $key ) { $k = 0 ; $count = 0 ; while( $count < strlen( $text ) ) { $text{ $count } = $key{$k} ^ $text{ $count }; $k = $k == strlen( $key ) ? 0 : $k++; $count++; } return $text; } $keys = array( '5^QTWETW£$%egrgw%%', '5409uewafaSCNSVJfdv', '54adQWQDQE', '56^£^^&%$^£$!%""', '123!")($£_)"$£")"', '!WDFGRAW$)(ASw3tr4)' ); $strings = array( 'the first string', 'weekpass', 'aMo4eComPLicAtEdStrIng', 'JustWastingMyLifeNow', 'OneFromTheFinish', 'And Finally we\'re done' ); foreach( $strings as $index => $string ) { $ciphered = cipher( $string, $keys[ $index ] ); $deciphered = cipher( $ciphered, $keys[ $index ] ); printf( 'String : %s<br />', $string ); printf( 'Key : %s<br />', $keys[ $index ] ); printf( 'Ciphered : %s<Br />', $ciphered ); printf( 'Base64 Ciphered : %s<Br />', base64_encode( $ciphered ) ); printf( 'Deciphered : %s<br />', $deciphered ); echo "<br />"; } ?> PHP: or use an implementation of xtea or something like that ...... md5 has been around for a long time now, it's possible to dehash any md5 given time and processing power, and it can be a pain not being able to see passwords, while that's only a few lines of code, if whoever is hacking your database doesn't know what you're using to encrypt passwords, then it's void + you can use any length keys with any characters in ......
MD5 is not an encryption but a hash. You cannot go from the hash to the original password. the only way is to brute force. I dont think it's the best way to do in your case. Take care.
your cookies might be a bit more secure sure, but that leaves your database wide open and viewable to everyone is someone were to gain access to it. still not a good idea. just generate a random password for the and they can login and change it to something that they will remember. easy peasy all is well and nothing to worry about.