I Have md5 encrypted password, how to give the password to user when he uses “Forgot password”?

Question

I have database entry for password in md5 format, but when user uses the \"Forgot password\" then how can i give him/her the desired password?

Answer 1

You can't - MD5 is simply a "one way" hash - not a means of encrypting data that can subsequently be de-crypted.

As such, the general idea is to:

1. Send the user an email to their registered address with a reset link in it. (To prove they actually own the address.) The reset link should contain a hash based on some aspect of their specific user data so it can't be easily guessed, etc. (e.g.: Account creation time.)

2. When the user clicks the link they land on a password reset page that checks the above hash, generates a new password (ideally a mix of upper/lower and some numeric characters, although I always tend to omit character such as '0', 'o', 'O', etc. for the sake of clarity) and then sends the user the new password in an email, advising them that they should change this password as soon as possible.

The user can then log-in and access the site as per usual.

Answer 2

You got a 1/100 chance of recovering that password (dictionary method) given the length of the password. I won't recommend it.

It's better to generate a new random password, and send it to the user's email.

Answer 3

You can't do it without putting the password in the database, which is undesirable, but you can generate him/her a new password and send it to them. Or a link where they can reset their password.

Answer 4

You can't do that from an MD5 hash; nor should you be able to. Password recovery ought to be intractable.

The usual process is to send a password-reset token (URL) to their email address so that the user can choose a new password.

Answer 5

you have to send a new password to the user and then set into the database also. otherwise the original password may not recover.

Thanks.