AdRock Posted August 9, 2006 Share Posted August 9, 2006 When news user details are inserted into the database I have used md5 to encrypt the password.I now have a form to recover a lost password which gets the record from the database and emails the user the username and password.The problem is that the password is still encrypted.I need to know how i can convert the md5 password to a format that the user can read and understand Quote Link to comment Share on other sites More sharing options...
king arthur Posted August 9, 2006 Share Posted August 9, 2006 You can't. If someone has forgotten their password the only option is to enable them to choose a new one. Quote Link to comment Share on other sites More sharing options...
Orio Posted August 9, 2006 Share Posted August 9, 2006 When someone forget's his pass and asks for a reminder, generate a random string, for example:<?php$rand_string=md5($username.time());?>Store it in the db in the row of the user, in the column "reminder_rand".Then send a link (to the email given) that looks like this:echo("www.domain.com/reminder.php?str=".$rand_string);reminder.php will check if there's a row that "reminder_rand" equals $rand_string, and if so create a random pass to the user, replace it with the old one (when it's md5 of course) and then send it to him via email (Make sure you send the pass not in md5). If there's no such row output "Error".Orio. Quote Link to comment Share on other sites More sharing options...
poirot Posted August 9, 2006 Share Posted August 9, 2006 Obviously you still can "reverse" the MD5 hash by using Rainbow (which is known for being a very effective method) or a MD5 hash database like these:http://gdataonline.com/http://md5.rednoize.com/ Quote Link to comment Share on other sites More sharing options...
Orio Posted August 9, 2006 Share Posted August 9, 2006 Cracking his user's passes? Sounds pretty unsafe to register to his site...Orio. Quote Link to comment Share on other sites More sharing options...
poirot Posted August 9, 2006 Share Posted August 9, 2006 [quote author=Orio link=topic=103621.msg412723#msg412723 date=1155158551]Cracking his user's passes? Sounds pretty unsafe to register to his site...Orio.[/quote]The same is true for any site. If the admin were unscrupulous though, why have MD5 at all?Just store the plain pass.I am just pointing that it IS possible to "convert" md5 hashes back to plaintext (when you are working with short strings as passwords, obviously). Quote Link to comment Share on other sites More sharing options...
tomfmason Posted August 9, 2006 Share Posted August 9, 2006 Personaly what I do is first when the user signs up I email them with all of the information that they signed up with. I would also have them choose two security questions like the city that they were born in and something else like last four of their social. Then I instruct them to search their email for their registration information. If they are unable to find their password, then I have them input their email address, username and the two security questions. Then I create them a random password with this code and email it to them.[code=php:0]function makeRandomPassword() { $salt = "abchefghjkmnpqrstuvwxyz0123456789"; srand((double)microtime()*1000000); $i = 0; while ($i <= 7) { $num = rand() % 33; $tmp = substr($salt, $num, 1); $pass = $pass . $tmp; $i++; } return $pass; } [/code]Then after they log in with the new password, I allow them to change it again to what ever they want. I also mail the new password to them and instruct them to save the email for future refference.Hope this helps,Tom Quote Link to comment Share on other sites More sharing options...
onlyican Posted August 9, 2006 Share Posted August 9, 2006 I own a disabled site, and I store the password un encrypted in the databaseThis means its less confusing for the user (some are really disabled and everything needs to be as easy as possible)also I am not asking them for private confidential informationWhat I also do is have one password for "normal sites" like this forumOne password for sites like PaypalOne password for my cpanelAnother password for emails and thingsSo if someone gets my password from a website, they can only access other websites, and not corse me damage Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.