I am currently reading a book on PHP/MySQL. I’m mainly interested in the hashing of passwords. The cleartext is converted into “gibberish” by md5/sha1 or some hash function and stored in the database. Fine I get that. Hackers, even if they gain access to the database still have the problem of finding the cleartext.
My question (which I hope isnt stupid) is, on most (or all come to think of it) websites that have user passwords, if the user forgets his/her password then the web admin will send it to the user’s email. Ok, but how does the web admin have the cleartext password?
I don’t think I’ve ever seen a web site that does that. Normally what they’ll do is send you a link which, when you click it, resets your password and sends you to a page where you must enter a new one. Some sites will send you a temporary password and urge you to change it. Note that in both cases, the web site doesn’t need to have the original cleartext.
If I clicked a password reset link and was sent my original password in cleartext, I’d have a very low opinion of that web site!