Wtf? Password Recovery? MD5? Unreversable? !!

Aaron · 02-17-2008, 10:55 AM

As the title states, I need to ask; how do you make a password recovery when the database MD5's the value? There is no way to reverse MD5, and storing the password as plain-text is not safe... so how do you do it?

sjaq · 02-17-2008, 11:49 AM

You just don't..

Aaron · 02-17-2008, 12:40 PM

... You kind of need a way to recover passwords, don't you?

Salathe · 02-17-2008, 01:23 PM

No. If someone forgets their password, it's better (and the only option) to make a new one.

SOCK · 02-17-2008, 03:55 PM

Quote:

Originally Posted by Salathe

No. If someone forgets their password, it's better (and the only option) to make a new one.

Exactly. It's very common (this forum does it, for example) to have a 'reset password' function. MD5 is a one-way hash, it can't be reversed. You come up with a decent algorithm to create a perfectly random password, store it in the `user_password` field in the database for that user, and then email it to them. Hopefully, they still have access to that email account (and they alone have access to it), retrieve the new unique password and then login with that. Once logged in, they can reset (and you can then update the users table with) their own password.

Wildhoney · 02-17-2008, 04:08 PM

...Or what a lot of systems do is prompt you for a secret question, and then the question's secret answer. Then when you want to reset the password, you need to answer the question. That then allows you to change your password even if you no longer have access to the email address associated with your account. Then from within the system you will be able to change the email.

wiifanatic · 02-18-2008, 12:32 AM

Its made to be unreversable.
To check passwords use:

PHP Code:


			
if ($_POST['pass'] == $userPass) {
   // Good Password!
} else {
   // Bad Password!
}

And to retrieve it, just tell them to reset it.

Andrew · 02-18-2008, 01:56 AM

Quote:

Originally Posted by wiifanatic

Its made to be unreversable.
To check passwords use:

PHP Code:


			
if ($_POST['pass'] == $userPass) {

   // Good Password!

} else {

   // Bad Password!

}

And to retrieve it, just tell them to reset it.

He wasn't asking how to check passwords, he wanted to know how sites allow users to reset their passwords or get the password sent to them if they forgot it.

Aaron · 02-18-2008, 02:34 AM

Thanks for all of your help! I really didn't even think of a password reset.

ReSpawN · 02-18-2008, 08:54 AM

Quote:

Originally Posted by Aaron

Thanks for all of your help! I really didn't even think of a password reset.

Seriously, most people (including me sometimes) forget that setting a new password is the best option. If you know a person very well, even a secret question wont suffice.

What you do is:

1. Login?
2. Forgot your password?
3. Send a mail with an activation key (perhaps linked to IP) to RESET the password.
4. Reset (with a hash) the password and enter a approx. 12 long string.
5. Send the password to the email together with an activation key.
6. Let the user enter the OLD password, the activation key and then once logged in (or at the activation key page) set their new password intimidate.

Most secure and common way to do it I guess.

flyingbuddha · 02-21-2008, 12:19 PM

I know it's a bit off the original question, but you could try using AES_ENCRYPT / AES_DECRYPT in mysql rather than MD5 for storing passwords, but I totally agree with the members that saying storing a non-reversible password is the best solution.