I am currently using MD5 encryption for storing the password in the database. We didn't have the password reset functionality before. But now we are implementing it. So I can't decrypt MD5 and send the password to the user. But I can do if it is encrypted in base64.Now I am little bit confused which is best encryption method.
I already did the client side validation for strong password (like 8 char length, special characters etc).
In many applications, the MD5 algorithm is used which produces a 128-bit output which is represented as a sequence of 32 hexadecimal digits. This output is further encoded using a base62 or base64 scheme.
Base64 is not an encryption, it is an encoding. It's role is to make sure the password can be stored in the database nicely and special characters aren't a problem. It does nothing to protect the password. From security standpoint, it is exactly the same as storing it without any encoding.
Encoding, hashing, and encryption can be used together. A base64 encoded message to an application may be hashed so the integrity of that message can be verified by the receiver.
MD5 hashes are no longer considered cryptographically secure methods and should not be used for cryptographic authentication, according to IETF.
Base 64 is not an encryption mechanism, it is an encoding scheme. It is easily reversed, so it is not a good choice for protecting critical data.
The common approach for passwords is to hash them with something like MD5, and then store the hash. When the user logs in again, hash the input password, and compare that to the stored hash.
If the user forgets his password, you should not be able to tell him what it is. Instead, allow him to reset it to something else (presumably something he can remember).
Also, as @Phil Brown mentions, MD5 is not considered a strong encryption mechanism. SHA-1 would be better suited for this task.
Base 64 encoding is generally used to transmit binary data over a mechanism that only allows ASCII text.
Base64 is not encryption, it is an easily reversible encoding mechanism. MD5 is a one-way cryptographic hash, though its use is not recommended because it is cryptographically weak.
For your needs you probably want to store the hash of the password (better with salt), probably using SHA-256 or better. When users forget their password, you generate a random one-time use password for them and force them to recreate a password, or just make them do it after verifying some credentials.
Base64 and MD5 are not encryption methods. Base64 is simply a way of encoding characters, which provides absolutely no security - it is as good as storing the password in plain text. MD5 is a hash function, which means it is one-way and cannot be decrypted.
Hashing is definitely the way to go. MD5 is okay, but you should switch to a more secure function such as SHA-256.
As for a "forgot password" feature, never store the user's password and send it back to them. Instead, generate a (random) temporary password for them so that they can login and change it.
Best practice is to store the password hash using MD5 as you are now (or even better SHA256).
Don't do password recovery. Instead, when a user forgets their password, create a new random password and send it to them. They can then login and set the password to something they prefer. Much more secure.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With