Getting MD5 codes from database and decoding it in PHP [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicates:

I Have md5 encrypted password, how to give the password to user when he uses “Forgot password”?

PHP:How to send the original password to the user when he clicks forgot password which is encrypted by using md5?

I do not know is it the right way to ask this question but I am implementing my own membership script in PHP and right now, I am stuc开发者_运维技巧k with the retrieving the MD5 codes from database. OK, I insert the user info to the database and because of the security issues I encrypted the password before saving it to database but my question is that when I try to create a forget your password stuff, how can I get the unencrypted password from the database. By the way I use MySQL and my question is not about inserting or retrieving data from database, I only ask how can I reverse the MD5 thing. Thanks in advance!

---

You can't. MD5 hashes, or hashes in general, are not reversible. That's exactly the reason why you're using them in the first place to store passwords, because you do not want the responsibility of knowing the actual password.

Forgot password functionality is implemented by sending an email to the user with a one-time link he has to click on and letting him enter a new password.

---

MD5 was intended to be one-way, but it's now thoroughly insecure. If you're actually serious about having any measure of security, rather than just going through the motions, you have some reading to do:

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

SHA512 vs. Blowfish and Bcrypt

http://codahale.com/how-to-safely-store-a-password/

---

Actually you don't get the password back ever again,

You hash the password entered and compare to the has in your database, thats how it works :) good luck

---

MD5 is a one-way hash so reversing it wont work.

How you do it is performa comparison against what is stored for example: SQL for entering the user:

INSERT INTO `users` (`username`, `password`) VALUES ('$username', MD5('$password'));

This will mean that the password is stored as a hash. When someone tries to log in you do the same thing but in a select statement:

SELECT * FROM `users` WHERE `username` = '$username' AND `password` = MD5('$password');

If there's a result, then the user is authenticated, if there's more than 1 result, then you have fun :)

For the forgot password bit, you are better to set up a chain where the user's are emailed a code and a link. Where they can enter that code on the "password reset" page as well as a new password.

HTH

---

There are various ways to deal with forgotten passwords, but figuring out the original password from an MD5 hash isn't really one of them.

For the record, however, you really shouldn't be using MD5 for this (or much of anything else related to security). MD5 is pretty badly broken -- unless there's absolutely no choice in the matter, switch to something else (oh, but you should also know that SHA-1 is only a little better than MD5).