Passwords in databases

piersk

Ok, heres a tricky one thats got me stumped:

vBulletin, YABBSE and phpBB all store passwords in an encrypted format (I think they use [man]md5()[/man]). However, if you forget what your password is, they are able to send it to you in plaintext.

My question is: how can I unencrypt a password stored in a database? Does anyone know how any of the above boards do it?

berbbrown

Is phpBB open source, if so, why not download the code and 'ave a look-see.

I always thought MD5 encrypted one way, in effect no way to decrypt it.

But what do I know - I am beginner!!

nileshd

I dont think they send you the same exact password... they build a new one for you on the fly and send you the new generated password. md5 is a one-way algorithm.. u cant decrypt it..

hermand

Like they said, if its MD5 they definately don't decrypt it. Think of it like the check numbers on credit cards, there are only 9 possibilites but millions of variations of numbers that can create them!

The usual idea is to either re generate one on the fly, or provide some kind of check and then allow the user to change it.