Hi pls refer to the following link: http://www.phpeasystep.com/phptu/26.html So to encrypt a password, use md5() function? How about decrypting it? Cos when the user forgot the password the admin has to retrieve the password from the database upon request from the user, but the password has to be decrypted back to its original form Anyone has any idea how to do it?
To encrypt a password you always need to use an encryption function like indeed md5, but trying to gain your original password from the md5 is nearly impossible, you can lookup an online MD5 database with the same signature!
You cannot decrypt md5 without brute force - that's the point of it, else it would be incredibly easy to hack. Instead of emailing the user their password (too insecure), either Create a new one with random characters, send them the new password, and have them have to login to change it. Or what I would do, email the user a link containing their encrypted password and their username, to log them in automatically, and give them the form to change their password. So the unencoded link looks something like: http://site.com/login.php?action=reset&&username=username&&password=BIGMD5password&sessionid=1 Code (markup): Create the sessionid variable/session when you email them the link, and have it expire after say...30minutes. So on login.php, uses $_GET tp retrieve the variables, and log the user in automatically. I only have a vague idea though....
MD5 is NOT a crypting method, it's a hashing method, and that's all the difference : you cannot get the original string from a MD5. What you can do is brute-forceing to find a string which MD5 is the one you have. I insist on "a" string, because there's an infinity of strings which have the same MD5 (and that makes sense, as there's "only" 2^128 MD5 hashes, whereas there's an infinity of strings). So, as blueparukia said, what you can do is provide a possibility for the users to reset their passwords from a link sent to their e-mail address.
The other option would be to use a 2 way encryption (AES, DES, etc.). Unless there is some very good reason you need to be able to decrypt a password rather than reset it, hashing is a far more secure and easier way to manage user passwords.