converting md5 password to readable format [RESOLVED]

[AdRock]

When news user details are inserted into the database I have used md5 to encrypt the password.

I now have a form to recover a lost password which gets the record from the database and emails the user the username and password.

The problem is that the password is still encrypted.

I need to know how i can convert the md5 password to a format that the user can read and understand

[king arthur]

You can't. If someone has forgotten their password the only option is to enable them to choose a new one.

[Orio]

When someone forget's his pass and asks for a reminder, generate a random string, for example:
<?php
$rand_string=md5($username.time());
?>
Store it in the db in the row of the user, in the column "reminder_rand".
Then send a link (to the email given) that looks like this:
echo("www.domain.com/reminder.php?str=".$rand_string);

reminder.php will check if there's a row that "reminder_rand" equals $rand_string, and if so create a random pass to the user, replace it with the old one (when it's md5 of course) and then send it to him via email (Make sure you send the pass not in md5). If there's no such row output "Error".

Orio.

[poirot]

Obviously you still can "reverse" the MD5 hash by using Rainbow (which is known for being a very effective method) or a MD5 hash database like these:

http://gdataonline.com/
http://md5.rednoize.com/

[Orio]

Cracking his user's passes? Sounds pretty unsafe to register to his site...

Orio.

[poirot]

[quote author=Orio link=topic=103621.msg412723#msg412723 date=1155158551]
Cracking his user's passes? Sounds pretty unsafe to register to his site...

Orio.
[/quote]
The same is true for any site. If the admin were unscrupulous though, why have MD5 at all?
Just store the plain pass.

I am just pointing that it IS possible to "convert" md5 hashes back to plaintext (when you are working with short strings as passwords, obviously).

[tomfmason]

Personaly what I do is first when the user signs up I  email them with all of the information that they signed up with. I would also have them choose two security questions like the city that they were born in and something else like last four of their social.

Then I  instruct them to search their email for their registration information. If they are unable to find their password, then I have them input their email address, username and the two security questions. Then I create them a random password with this code and email it to them.

[code=php:0]function makeRandomPassword() {
 $salt = "abchefghjkmnpqrstuvwxyz0123456789";
 srand((double)microtime()*1000000);  
     $i = 0;
     while ($i <= 7) {
           $num = rand() % 33;
           $tmp = substr($salt, $num, 1);
           $pass = $pass . $tmp;
           $i++;
     }
     return $pass;
} [/code]

Then after they log in with the new password, I allow them to change it again to what ever they want. I also mail the new password to them and instruct them to save the email for future refference.

Hope this helps,
Tom

[onlyican]

I own a disabled site, and I store the password un encrypted in the database
This means its less confusing for the user (some are really disabled and everything needs to be as easy as possible)

also I am not asking them for private confidential information

What I also do is have one password for "normal sites" like this forum
One password for sites like Paypal
One password for my cpanel
Another password for emails and things

So if someone gets my password from a website, they can only access other websites, and not corse me damage