Menu
One must store the hashed password in the database for security reasons.
If a user does not remember their account password, how can they retrieve it back? I can only share their hashed password at this stage, which is useless to them.
Can you recover the password if it is hashed by md5, sha1 with additional salt?
483
There is but one simple answer: You cannot.
Well, theoretically you could, but it could take many years per password if they are long enough. After all, that is the point of hashing passwords in the first place: to make the data effectively useless to an attacker (or at least protect the user's plaintext password, which is sensitive data.)
Just have the site send a "change your password" email containing a link to a page where that user can change his/her password. This is how most professional sites handle this dilemma.
54
This is meant to be intractable. Thus, you usually have to provide some way of resetting it. Sending a special link to the user's email is common, though it reduces your security to that of the email account.
See Forgot Password: what is the best method of implementing a forgot password function? .
24
The security of hashing instead of encrypting the password is that you cannot reverse a hash. If you could unhash the password and give the user their plain text password, then any hacker can reverse the hashed password you use for registration and sign in and "dehash" it to get the user's password.
This is a feature, not a bug.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
