TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   Wtf? Password Recovery? MD5? Unreversable? !! (http://www.talkphp.com/absolute-beginners/2267-wtf-password-recovery-md5-unreversable.html)

Aaron 02-17-2008 10:55 AM
Wtf? Password Recovery? MD5? Unreversable? !!
 
As the title states, I need to ask; how do you make a password recovery when the database MD5's the value? There is no way to reverse MD5, and storing the password as plain-text is not safe... so how do you do it?

sjaq 02-17-2008 11:49 AM
You just don't..

Aaron 02-17-2008 12:40 PM
... You kind of need a way to recover passwords, don't you?

Salathe 02-17-2008 01:23 PM
No. If someone forgets their password, it's better (and the only option) to make a new one.

SOCK 02-17-2008 03:55 PM
Quote:
Originally Posted by Salathe (Post 10920)
No. If someone forgets their password, it's better (and the only option) to make a new one.
Exactly. It's very common (this forum does it, for example) to have a 'reset password' function. MD5 is a one-way hash, it can't be reversed. You come up with a decent algorithm to create a perfectly random password, store it in the `user_password` field in the database for that user, and then email it to them. Hopefully, they still have access to that email account (and they alone have access to it), retrieve the new unique password and then login with that. Once logged in, they can reset (and you can then update the users table with) their own password.

Wildhoney 02-17-2008 04:08 PM
...Or what a lot of systems do is prompt you for a secret question, and then the question's secret answer. Then when you want to reset the password, you need to answer the question. That then allows you to change your password even if you no longer have access to the email address associated with your account. Then from within the system you will be able to change the email.

wiifanatic 02-18-2008 12:32 AM
Its made to be unreversable.
To check passwords use:
PHP Code:
if ($_POST['pass'] == $userPass) {
   // Good Password!
} else {
   // Bad Password!
And to retrieve it, just tell them to reset it.

Andrew 02-18-2008 01:56 AM
Quote:
Originally Posted by wiifanatic (Post 10956)
Its made to be unreversable.
To check passwords use:
PHP Code:
if ($_POST['pass'] == $userPass) {
   // Good Password!
} else {
   // Bad Password!

And to retrieve it, just tell them to reset it.
He wasn't asking how to check passwords, he wanted to know how sites allow users to reset their passwords or get the password sent to them if they forgot it.

Aaron 02-18-2008 02:34 AM
Thanks for all of your help! I really didn't even think of a password reset.

ReSpawN 02-18-2008 08:54 AM
Quote:
Originally Posted by Aaron (Post 10967)
Thanks for all of your help! I really didn't even think of a password reset.
Seriously, most people (including me sometimes) forget that setting a new password is the best option. If you know a person very well, even a secret question wont suffice.

What you do is:

1. Login?
2. Forgot your password?
3. Send a mail with an activation key (perhaps linked to IP) to RESET the password.
4. Reset (with a hash) the password and enter a approx. 12 long string.
5. Send the password to the email together with an activation key.
6. Let the user enter the OLD password, the activation key and then once logged in (or at the activation key page) set their new password intimidate.

Most secure and common way to do it I guess.

flyingbuddha 02-21-2008 12:19 PM
I know it's a bit off the original question, but you could try using AES_ENCRYPT / AES_DECRYPT in mysql rather than MD5 for storing passwords, but I totally agree with the members that saying storing a non-reversible password is the best solution.


All times are GMT. The time now is 09:36 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0