i am going to store the users passwordds using $pass=md5($_POST['pass']); PHP: and they are successfully went to database..! but how to decrypt those passwords..., if user click on forget password it will fetch the particular password.., and sent to mail but it was sending the encrypted... one. how to decrypt before i send to those mails.
Please note that you cant do that or echo that you can have a look here http://www.raymond.cc/blog/archives/2009/01/22/ask-raymond-how-to-decrypt-md5-hashed-strings/ Another good option is to generate a new Pass and updating the DB and Sending that password recovery mail!
Just generate a new password. You would do this by using mt_rand() to get a random number, then hashing it with sha1(), then finally substr()-ing it to a couple characters long. MD5 can't be decrypted practically. The only real way is to compare it to the hash of a string until you find a match.
MD5s are unreversable encryption, if a user provides you with a password, you can only encrypt that password and compair it to the one on file, you dont DECRYPT it PS: Remember to SALT your MD5's to
i tried Cozmic process, about sha1 but not understand clearly. any body explain me how to make forget password page with simple example, for MD5 based passwords. Thanks..!
For MD5 As i said that Generate a New Password and update that in DB with MD5 encryption and send that generated password to the user! If you cant do that still i can solve that for some bucks
you can not decrypt an hash -- if you're lucky the user has been so dumb to type in something like "duck" or "mom" as their password and you're able to look it up in some md5 database. that would be of no use, though, so just send another random password upon request.
I once created a hash that was MD5-salt-SHA1-salt but i was told it would not work because it would interfere with the other encryptions. Anywho i did not come crossed an issue and successfully secured my site. IF you wanted to you could record to another section of the database to store the encrypted version and the normal string. This of course is just the same as not having any md5 encryption. Well best of luck
Best solution is stated above, have them input their email and then once the email is confirmed to be associated with an account, say a new password is being sent to that email, and just change the password for them, send the new password, then when they login request the password to be changed again.
yeah, i know i do that now too but i guess i should of mentioned it. That is how alot of sites do it. If a site sends you your password that you previously used, i would recommend not using that site.