md5() question

pablogosse

Hi all. I'm currently working on a portal site, and I'm storing user passwords in a PostgreSQL database after they've been encrypted by the md5() function.

I want to have a page where the user can enter their email address and username and have their password emailed to them if they've forgotten it.

However, since the password stored in the database has been encrypted by the md5() function, is there a way to "un-md5()" the password so it can be read by the user?

I would think not, but I'd like to get some feedback from people here.

Is the only way to have this work properly to store the password as plain text in the database?

Thanks in advance,
Pablo

Weedpacket

This question is asked on a very frequent and tedious basis (try searching the forums for md5).

The answer, in short, is No. For one thing, md5 was never designed to encrypt passwords. If it works properly, the only way to "unmd5" a hashed password is to try password after password after password until you manage to hit on one that hashes to what's in the database.

Pig

do not use md5 if you want them to get their password back

alternatively, you could reset their password to a random string, and email them their new password.

pablogosse

Thanks, that's an excellent idea.

Cheers,
Pablo