I Have md5 encrypted password, how to give the password to user when he uses “Forgot password”?

Question

I have database entry for password in md5 format, but when user uses the \"Forgot password\" then how can i give him/her the desired password?

Answer 1

You can't - MD5 is simply a "one way" hash - not a means of encrypting data that can subsequently be de-crypted.

As such, the general idea is to:

1. Send the user an email to their registered address with a reset link in it. (To prove they actually own the address.) The reset link should contain a hash based on some aspect of their specific user data so it can't be easily guessed, etc. (e.g.: Account creation time.)

2. When the user clicks the link they land on a password reset page that checks the above hash, generates a new password (ideally a mix of upper/lower and some numeric characters, although I always tend to omit character such as '0', 'o', 'O', etc. for the sake of clarity) and then sends the user the new password in an email, advising them that they should change this password as soon as possible.

The user can then log-in and access the site as per usual.