Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP:How to send the original password to the user when he clicks forgot password which is encrypted by using md5?

I am using md5 to encrypt the passwords in my project.

When user clicks on forgot password and submits his email,I have to send His password to him.

But the password is encrypted using md5.Generating new password should not do.Because In this project admin can see all the details of the user. So i have to show the original password to Admin. So The initial password is very important. SO how can i decrypt the password or any other way to send him original password?

Thanks in advance...

like image 476
kishore Avatar asked May 06 '10 10:05

kishore


People also ask

Can we decrypt MD5 in PHP?

How to Decrypt MD5 Passwords in PHP? The MD5 cryptographic algorithm is not reversible i.e. We cannot decrypt a hash value created by the MD5 to get the input back to its original value. So there is no way to decrypt an MD5 password.

Can you reverse an MD5 hash?

Hash functions are not reversible in general. MD5 is a 128-bit hash, and so it maps any string, no matter how long, into 128 bits. Obviously if you run all strings of length, say, 129 bits, some of them have to hash to the same value. (Another win for the pigeon hole principle.)

How PHP store encrypted password in database?

The process is used to encrypt passwords:Create a unique encryption key (DEK) Scramble the information utilizing unique key encryption. Move the unique encryption key (DEK) to Cloud KMS for encryption, which returns the KEK. Save the encrypted data and key (KEK) along with each other.


2 Answers

Hashes are not designed to be decrypted, which is why they're often referred to as "one-way hashes" instead of just hashes.

Instead, either...

  1. Generate a new password, hash that, store the new password hash in place of the old one, and email the newly generated password to the user.

  2. Generate a new password, hash it, store it in a field for temporary passwords, and then when the user logs in with that password, prompt them to enter a permanent new password.

  3. Generate a nonce, store it in a field for the nonce, and email the user a link with that nonce which will give them access to a page to enter a new password.

The third option is probably the best all around, since it doesn't leave an actual password (temporary or not) in plain view to someone reading the user's email, and since it utilizes a nonce, once it has been used it can't be used again by a malicious user.

The reason hashing is used for passwords is specifically to prevent them from being stored in a form where a malicious user could determine the password simply by looking at the database.

Edit:

"So i have to show the original password to Admin."

If you are hashing the password, this is not possible. In general, it is actually a bad idea to allow administrators to see users' passwords, because a large percentage of users tend to utilize the same password for multiple things, and the administrator of one thing (say, a company network) is probably not the administrator of many other things (say, a user's online banking system).

MD5 is not an encryption algorithm, it is a hashing algorithm. The two are not the same; encryption is designed to be reversible (hence the complementary term "decryption"), whereas hashing is designed to be one-way only.

like image 118
Amber Avatar answered Oct 08 '22 23:10

Amber


You can't. The reason cryptographic hashes[1] are referred to as "non-reversible" is that they can't be reversed. Which is the entire point of using them for password storage - it means that, if a Bad Guy gets his hands on the password database, he can't just reverse the hash to find out what all the passwords are.

I see from your edit that your intent is to display the user's password to the admin user(s) rather than for password recovery by the user himself. This is a Very Bad Idea. Many users attempt to ease the burden of remembering passwords by using the same password for multiple systems, which means that displaying their password in your system has a high probability of compromising their accounts on other systems.

True story: Back in 2000, I took a job at a startup that produced voicemail systems. To introduce me to the product on my first day, the IT director had me create a voicemail account, which I did, then he brought it up in the admin interface. I just about died when I saw my voicemail PIN displayed on the screen for all to see. Partly because it was shockingly bad security practice, but mostly because, even though he didn't know it, he now knew the PIN for my ATM card. That's just bad, bad, bad all around. Don't do that.


[1] MD5 is a hashing algorithm, not an encryption algorithm. The key difference between the two is that, for any given hashing algorithm, there are an infinite number of inputs which will produce the same output (which is why it's not reversible), while encryption has a one-to-one correspondence of input to output.

like image 21
Dave Sherohman Avatar answered Oct 09 '22 01:10

Dave Sherohman