Forgot Password Script Help

jimmyp3016 · January 19, 2007

Hey Guys,

I have a forgot password script i wrote that a user enters their email address and then it mails them their username and password. Everything works correctly except...

...It mails them the encrypted password in the database.

How do I decrypt it and mail them their actual password instead of random numbers and letters?

Any help will be greatly appriciated!

whitelion · January 19, 2007

what method using to encrypted your password ?.
if using md5.You can use that code.
md5($password)

Hypnos · January 19, 2007

You can not (effectively) undo an MD5 encryption (assuming you're using MD5). That's why you use it.

md5() encrypts. It doesn't unecrypt.

This forces you to take the more secure route of generating a random password and emailing it to them.

jimmyp3016 · January 19, 2007

[quote author=Hypnos link=topic=123086.msg508325#msg508325 date=1169172528]
You can not (effectively) undo an MD5 encryption (assuming you're using MD5). That's why you use it.

md5() encrypts. It doesn't unecrypt.

This forces you to take the more secure route of generating a random password and emailing it to them.
[/quote]

Is there a pre maid script out there that you know of that can do this so i can just update my table name ect?

Crimpage · January 19, 2007

Probably,

It is not that hard tho.

User enters email address and presses submit.

$newpass = generate_key(); <- There are heaps of scripts out there to generate random strings just find one cause that function is not default...

$newencpass = md5($newpass);

Then update the database with the new password and if that works, email them the $newpass (which is the unencrypted password).

Simple.

Dave.

whitelion · January 19, 2007

Oh,you are misunderstand.
If your password is 098f6bcd4621d373cade4e832627b4f6.You must use md5(098f6bcd4621d373cade4e832627b4f6) to read your password.
To jimmyp3016 : you must put your file.It will show us your method used to encrypted password

jimmyp3016 · January 19, 2007

So I got the script working and it sends me the random password but it does not store it in the database as MD5. It stores it as the random password so when i try to login it doesnt work.

What could be wrong?

Here is my script...

[code]

include "config-site.php";
require_once( "functions.inc.php" );

echo doHeader();

$email = $_GET['email'];

if ($email != "") {

// Open database...
$db = mysql_connect("$localhost", "$databaseuser", "$databasepasswd");
mysql_select_db("$databasename",$db);

// Get password and email from database...
$sql="SELECT password,email FROM user WHERE email='$email'";
$result = mysql_query("$sql",$db);
if (mysql_num_rows($result) != 0) {

// Store in variables...
$password = mysql_result($result, 0, "password");
$email = mysql_result($result, 0, "email");
}

$str = '';
for ($i=1; $i<=10; $i++){
$set = array(rand (65,90),rand(97,122));
$str .= chr($set[rand(0,1)]);
}

$newencpass = md5($str);

$sql = "SELECT * FROM user WHERE email='$email'";
$sql = "UPDATE user SET password = '$str' WHERE email='$email'";
$result = mysql_query($sql,$db) || die("Can't query DB: ". mysql_error());

// Close database...

mysql_close($db);

if ($email != "") {

// Send message with password...
$message="Your New Password is:\n\n";
$message.="Login : $email\n\n";
$message.="Password : $str \n\n";
$recipient="$email";
$subject="MySite.com - Login-Pass Request";
mail("$recipient","$subject","$message","From: passrequest@mysite.com \nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit");
}
[/code]

jimmyp3016 · January 19, 2007

In the initial account creation, does putting PASSWORD('$p') make it encrypted like MD5('$p') would?

$p being my password variable

whitelion · January 19, 2007

oh you have soe mistake.
If you want database store with md5 password you should edit.
[CODE]include "config-site.php";
require_once( "functions.inc.php" );

echo doHeader();

$email = $_GET['email'];

if ($email != "") {

// Open database...
$db = mysql_connect("$localhost", "$databaseuser", "$databasepasswd");
mysql_select_db("$databasename",$db);

// Get password and email from database...
$sql="SELECT password,email FROM user WHERE email='$email'";
$result = mysql_query("$sql",$db);
if (mysql_num_rows($result) != 0) {

// Store in variables...
$password = mysql_result($result, 0, "password");
$email = mysql_result($result, 0, "email");
}

$str = '';
for ($i=1; $i<=10; $i++){
$set = array(rand (65,90),rand(97,122));
$str .= chr($set[rand(0,1)]);
}

$newencpass = md5($str);

$sql = "SELECT * FROM user WHERE email='$email'";
$sql = "UPDATE user SET password = '$newencpass' WHERE email='$email'";
$result = mysql_query($sql,$db) || die("Can't query DB: ". mysql_error());

// Close database...

mysql_close($db);

if ($email != "") {

// Send message with password...
$message="Your New Password is:\n\n";
$message.="Login : $email\n\n";
$message.="Password : $str \n\n";
$recipient="$email";
$subject="MySite.com - Login-Pass Request";
mail("$recipient","$subject","$message","From: passrequest@mysite.com \nContent-Type: text/plain; charset=iso-8859-1\nContent-Transfer-Encoding: 8bit");
}
[/CODE]

==>because when you store your password you just store with $str variable.This variable is not md5 password.

Crimpage · January 19, 2007

That is right whitelion.

A couple of things to note though.

1. Whitelion, in your earlier post you said you can read what the password was if you do md5(encrypted_password_goes_here); and that is not true.

and Jimmy, in functions like $result = mysql_query("$sql",$db);
dont encase your variables in " ", there is no need, and will probably cause you drama's one day.
" " says that it is a string, and if it is a string within the variable already, there is no need...

jimmyp3016 · January 19, 2007

Thanks for the tip Crimpage :)

whitelion · January 19, 2007

Hi,crimpage.
I can't read password with md5.But if you don't use md5(you pass).The machine can not read it to respone your request.
Anyway.some tool can read md5 password.If you reading the ebook "crack md5 password".Search it in google.You can get more ^_^.

Crimpage · January 19, 2007

Well, everything is crackable, it just takes time... some a lot longer than others...

kevinkorb · January 19, 2007

What I would recommend is not sending them the password at all.

Do like most sites and send them a link to change their password.

When the user wants a new password, it creates 2 random numbers and stores them in the users table.

i.e.

[code=php:0]
$rand1 = rand(111111111,999999999);
$rand2 = rand(111111111,999999999);
[/code]

Then send the user a link to their email that has

http://mydomain.com/reset_password.php?rand1=736254629&rand2=837618390

Then verify that and let them set their new password. Upon reset set them new random numbers so that the link can't be used again.

Then the password is safe and the unencrypted email means nothing anymore.

My 2 cents..

Sign In

Forgot Password Script Help

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information