Sending a user forgotten password

[extrovertive]

K, I have a table with userid, email, and their password. Their password are encrypted using MD5. In my login page, there's a link for "Forgot password?"

Now, since the password is based on a 1-way hash encrpytion in the database, how will I send them their password should they forget it?

[hitman6003]

you will have to change their password to something that is known, then set it to the new value (encrypted) in the database, then email the user thier new password.

[extrovertive]

I know I can that - randomly generate them a new password - but that's just reseting their password.

I know want to send them their original password. Anyway around this with md5?

[onlyican]

What i would do is create a new password, using a random function (rand on php.net)

Send them that, and tell them to change it in the control panel or something

md5 is one way encryption for a reason.

[hitman6003]

[quote]1-way hash encrpytion[/quote]

You answered your own question...1-way means it can't be unencrypted...you can only encrypt a string with the same method and see if they match.

[extrovertive]

k, guess I'll have them reset the password.

What if I had stored their password using sha1? Is there a encryption-decryption algorithm?

[wildteen88]

sha-1 is one way encryption too. There are encryption/decrption functions in PHP. However you can encode/decode strings with base64_encode/base64_decode however these are not secure. The only way to reset the users password is to create a random password generator which will generate a random password for them, or get them to reset the password.