Php:How to Send the Original Password to the User When He Clicks Forgot Password Which Is Encrypted by Using Md5

PHP:How to send the original password to the user when he clicks forgot password which is encrypted by using md5?

Hashes are not designed to be decrypted, which is why they're often referred to as "one-way hashes" instead of just hashes.

Instead, either...

1. Generate a new password, hash that, store the new password hash in place of the old one, and email the newly generated password to the user.

2. Generate a new password, hash it, store it in a field for temporary passwords, and then when the user logs in with that password, prompt them to enter a permanent new password.

3. Generate a nonce, store it in a field for the nonce, and email the user a link with that nonce which will give them access to a page to enter a new password.

The third option is probably the best all around, since it doesn't leave an actual password (temporary or not) in plain view to someone reading the user's email, and since it utilizes a nonce, once it has been used it can't be used again by a malicious user.

The reason hashing is used for passwords is specifically to prevent them from being stored in a form where a malicious user could determine the password simply by looking at the database.

Edit:

"So i have to show the original password to Admin."

If you are hashing the password, this is not possible. In general, it is actually a bad idea to allow administrators to see users' passwords, because a large percentage of users tend to utilize the same password for multiple things, and the administrator of one thing (say, a company network) is probably not the administrator of many other things (say, a user's online banking system).

MD5 is not an encryption algorithm, it is a hashing algorithm. The two are not the same; encryption is designed to be reversible (hence the complementary term "decryption"), whereas hashing is designed to be one-way only.

I Have md5 encrypted password, how to give the password to user when he uses Forgot password?

You can't do that from an MD5 hash; nor should you be able to. Password recovery ought to be intractable.

The usual process is to send a password-reset token (URL) to their email address so that the user can choose a new password.

how to decrypt md5 hash

MD5 is a cryptographic hash, not an encryption scheme. It cannot be reversed in any direct way. It can only be brute-forced by trying possible passwords until one which matches is found. This is not recommended.

You cannot reasonably recover the password. Your forgot password link should instead reset the password.

This is intentional and good design. MD5 is used to hash the passwords so that if the password database should be hacked, the hackers will only have access to the hashes of the passwords and not the original passwords, making it difficult for them to discover your users' passwords.

However, at this point, MD5 crackers have gotten fast enough that it is not recommended for password use. In the future, scrypt or bcrypt should be used as the password hash function.

decrypt hashed passed by md5 function in php to display original password in the edit form

Short answer : You can't.

Medium answer : Even if you could, you shouldn't.

Long answer :

Hash is a one way road where you can't get back the input you hashed. (I won't mention Brute-force)

Apart from that, You Shouldn't display old password to your user, no matter what, not even for sake of "forgot password". Its a major security flaw.
If users want to change/reset/edit their password, Just let them have NEW password and store that in DB without worrying about old password.

And, another important Note: Please use password_hash() to hash your password. md5 is not designed for password, as It has collision and other serious issue.

how unsafe is to user the md5 password as token in the recover password email?

It's at least theoretically unsafe. See e.g. md5 decoding. How they do it? and MD5 security is fine?

But why do that in the first place? The following would be much more secure, and only marginally more difficult to implement:

1. Generate a random key, e.g. 123456789abc
2. Store it in the user record
3. Add the key to the URL lookup.php?key=123456789abc
4. When the user clicks the URL, look up the key to find the correct E-Mail address.
5. Once the operation has completed, delete the key.

Give the key a lifetime of, say, 24 hours so illegitimate requests fade away.

How to recover password from MD5?

This cannot be done¹

MD5 is a hashing function and not an encryption function. It is a one-way process and not reversible.

¹Actually, there are many such passwords (inputs) which will result in the same MD5 value when hashed, but it's "hard" to find just one and [generally] impossible to find the original one. This is what "cracking" a password does - it finds one such input that, when hashed, results in the particular output. (And I will provide no more help down this road.)

how to decrypt md5 hash

MD5 is a cryptographic hash, not an encryption scheme. It cannot be reversed in any direct way. It can only be brute-forced by trying possible passwords until one which matches is found. This is not recommended.

You cannot reasonably recover the password. Your forgot password link should instead reset the password.

This is intentional and good design. MD5 is used to hash the passwords so that if the password database should be hacked, the hackers will only have access to the hashes of the passwords and not the original passwords, making it difficult for them to discover your users' passwords.

However, at this point, MD5 crackers have gotten fast enough that it is not recommended for password use. In the future, scrypt or bcrypt should be used as the password hash function.

---

Related Topics