Possible Duplicate:
Is it possible to decrypt md5 hashes?
I have a database to store usernames, passwords, emails, etc. If a user forgets his/her password, I will send it to their email account.
The problem is that I encrypt the password to md5 before I store it into my database. If the user’s password is ABC, I store it in my database as 867dbd57e9ca9f808. I cannot send the user “867dbd57e9ca9f808” if they forget their password. I would need to send “ABC”. However, that would require me to “un-md5” the string, which I don’t think is possible.
MD5 was designed to be hash, which is one way only, otherwise it would not be a hash. You should not send user his password, but give possibility to change it. You should generate a token, send link to change password to user’s mail with token in GET parameter. If user change the passwords remove the token. Also, you should remember that token must have expiry time.
Something like:
In database, you can look for token, and get user id. So for example, your table structure can look like:
If you would keep only tokens and expiry time in database, don’t do this. Associate token with user, otherwise user can request password change, and he will get following link(Don’t do this):
This way he can change someone else’s password by replacing user_id. And get access to his account. Expiry time should not be longer than 24 hours.
Important
Don’t use plain md5, it’s easy to crack. Use
pbkdf2for example.PHP implementations:
PHP-Crypt-Lib,Pbkdf2 by inanimatt