Hi

So story goes, Ive recently started hashing user passwords to protect access, but have come to a bit of a problem in that if a user forgets their password, Im unable to retrieve it for them, because all I have is the salted-md5 hash?

How has everyone else overcome this problem?

lowrks

its not possible the crack the md5 encrypted string , because its an one sided encryption.
Its been done with the huge database actually. Have a look at this -
http://md5crack.com/crackmd5.php

You need to understand that a salted hash is irreversible (without the original text and salt). Thats the point of it.

You either need to generate them a new password and send it to them or give them access to a reset password page on your site.

By the reset password page, I mean you need to send them a link with a unique code only for them. I also set a cookie with another random string and compare the two with the database entry. If they match then they put in their new password.

cool, i do understand that md5 is irreversible, just wondering what the conventional solution is. Thanks for the help - I think i will go the 'generate them a new password route'.

lworks

There isn't an effective way to do this.

The best way would allow the users to reset their password and send them a copy via email.

I was pretty new to php when I made this but you can make your own adjustments.

<?php
//3 arrays of random numbers and letters
$caps = array("A", "B", "C", "D", "E", "F");
$lcase = array("a", "b", "c", "d", "e", "f");
$num = array("1", "2", "3", "4", "5", "6");
						
//radnomly generate a password using caps, lcase & num
$char1 = $caps[round(rand(-0.4, 5.4))];
$char2 = $lcase[round(rand(-0.4, 5.4))];
$char3 = $num[(round(rand(-0.4, 5.4)))];
$char4 = $caps[round(rand(-0.4, 5.4))];
$char5 = $num[(round(rand(-0.4, 5.4)))];
$char6 = $lcase[round(rand(-0.4, 5.4))];
$char7 = $caps[round(rand(-0.4, 5.4))];
$char8 = $num[round(rand(-0.4, 5.4))];
						
$newpassword = $char1.$char2.$char3.$char4.$char5.$char6.$char7.$char8;
		
//this is just to make md5 more secure, you may want to remove this if you dont add anything to your passwords. 			
$randomword = "salt";
$safepword = md5($newpassword.$randomword);

email them with $newpassword & add safepword to your Database.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.