I am currently using md5 function to encrypt my password and save to mysql db which can not be decrypted.
Now my user want that when they forgot password, they shou
Don't do that, it will compromise your security! The whole idea of one way encryption is that if your database is hacked you won't face the problem that all your users passwords will be known alongside with their email addresses!
Don't do that...
First, use something better than md5. Then create a way to "reset" the password, but never a way to actually retreive the password from the db...
That will make your app less secure, but maybe even worse; you and your users will have a problem if your data gets stolen! Someone is going to have a database with usernames and passwords of all your users!
It's not safe to do that you better can create a way to reset the password
Encrypting instead of hashing means that you have to store the decrypt key, which means reduced security for your app. Reset their password, and send them the new one.
how about crypt() or openssl?
It is not possible to store the password in such a way that it is still recoverable without either
1) storing the decryption key in your code/data (which rather defeats the purpose of hashing/encrypting the password)
2) encrypting the password using public/private key encryption the routing the recovery through som sort of semi-manual process where the password can be recovered.
The simplest solution is to require your users to provide/maintain a current email address and rely on the security of that to provide a new password on request.
C.