i was thinking sending an email with the md5 password as token and check

Question

Asked: May 30, 20262026-05-30T13:55:30+00:00 2026-05-30T13:55:30+00:00

i was thinking sending an email with the md5 password as token and check if the email+password are correct before showing the recover password form

1) user enters mail

2) if mail exists, send an email to with it with password as token

3) when user click to link: check if mail and md5 password are correct, if so:

4) show password generator form

-EDIT-

So how could be safer without adding any column to the user table?

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-30T13:55:31+00:00

It’s at least theoretically unsafe. See e.g. md5 decoding. How they do it? and MD5 security is fine?

But why do that in the first place? The following would be much more secure, and only marginally more difficult to implement:

Generate a random key, e.g. 123456789abc
Store it in the user record
Add the key to the URL lookup.php?key=123456789abc
When the user clicks the URL, look up the key to find the correct E-Mail address.
Once the operation has completed, delete the key.

Give the key a lifetime of, say, 24 hours so illegitimate requests fade away.

The Archive Base Latest Questions