Password reset - md5 encryption problem

[tslid]

Hi,

 

I am having little troubles with one modification of my password retrieval script - currently when user forgot his pass the script generate a new one. After while some users forget it again ... so I want to simplify it a little bit by sending them their original password. Passwords are encrypted so I cant get them with simple MySql query,can you give me some tips how to proceed - my level is not really advanced but I am trying Here is part of the code which generate a new one after verification process and insert it into database:

 

 

      $salt = generate_rand (X);
      $new_password = generate_rand (X);
      $password = password ( $new_password, $salt );
      
      
      $update_password = $db->query ("UPDATE " . TABLE_PREFIX . "tableX
      SET password='$password', salt='$salt'
      WHERE uid='".$session_data['uid']."'");

 

Regards

 

[the182guy]

MD5 by definition is a one way hash algorithm, not an encryption algorithm. MD5 is the wrong choice if you need to be able to decrypt the password.

 

Encryption algorthims are rarely used for password storage because of the possibility of decryption should one find the key.

 

If you don't like generating a random new password, another method would be this process (using MD5 or preferrably SHA-256 or higher):

 

User clicks "forgot password"

Site sends email with unique link

User clicks link in email

User is shown a form where he can enter a new password

Site updates chosen new password

 

On the new password form, have the user confirm something about their account to increase security, before letting the password be updated.

[tslid]

Hi,

 

First thanks for reply and explanation, after md5 I've and md5 $salt,password function is  :

 

$password_string = md5( $password ) . md5 ( $salt );
$password = md5 ( $password_string );

 

So this thing which I am aiming,to call password field from database and send it "unhashed" its not practically possible ?

 

Regards

 

[Psycho]

So this thing which I am aiming,to call password field from database and send it "unhashed" its not practically possible ?

 

No, as the182guy stated, you cannot unhash a value. The whole point of hashing passwords (vs encrypting them) is that they cannot be unhashed. There are a couple of industry-wide solutions to reset a password (each with a few variations), each has it's benefits and drawbacks

 

1. Have the site send the user a new password via email, typically after answering a security question. Some sties skip the security question validation with the assumption that only the user would have access to their email. But, it would likely be much easier to break into a user's email than it would their banking site. So, the security question adds additional security.

 

2. Provide the user the ability to reset their password. This has a few flavors. a) You could have them reset their password directly after answering a security question. Again, this has some security gaps as some security questions are easy to answer. b) you could simply email the user a link to reset their password (as the182guy suggested). This ensures only someone with access to the user's email can do the reset. But this again has a slight security risk. c) Do both, require the user to answer a security question and then email a link to reset their password.