The way most people do it is to email them a randomly generated password and then once they log in with their new password, they have the option of changing it something else.

md5 is not encryption, and cannot be reversed without some brute force application, if that can even do it.

Your best bet would be to use the encrypt functions. Check php.net function library for more information.

Or, you can use md5, but instead of giving them the password, have an email sent to there box giving them to abitily to change the password. Similar to what this bulletin board software does.

MD5 is a one-way hashing algorithm, rheroux's resolve is probably the best.

Unless your nuts, md5 cannot be undone. The only way to undo md5, is rather resource intensive, as you will have to generate md5 hashes for every possible password, and then compare them to the password stored for that user. Assumming that your passwords are case sensitive, and can be only letters and numbers, means that you have 62 possible characters, on a standard, US English keyboard, for each possible position, continuing on, the following lists the possible number of passwords for each given length:

4 characters: 3,844
5 characters: 238,328
6 characters: 1,4776,336
7 characters: 916,132,832
8 characters: 56,800,235,584
9 characters: 3,521,614,606,208
10 characters: 218,340,105,584,896

For each character, the result multiplies by 62 from the previous number, ie one character means 62 possible hashes, two means (62 x 62), three means (62 x 62 x 62), and so forth, getting the figures I showed above. md5 is the best encryption to use for passwords, and sensitive data that is stored on the web, because it is extremely one way.

To undo it, IF you have access to the database were the encrypted forms are stored, you would either need a table with every possible combination of hashes, from the absolute minimum password for the site, to the absolute maximum. After that, you would have to compare the encrypted value, to the known hashes, and then match the hash to the string you used to generate it. Yes, such could easily be automated, but stop and think of the resources that it will take to generate the hash lookup table, both in terms of storage, as well as CPU and memory usage. Such gets very prohibitive, as the number of possible combinations grows exponentially. Especially since most servers will allow a script only 30 seconds or less to execute.

Your best choice, is to send them a random password, to a verified email account, using either a secret question system, and/or a turning number system to be sure it is the right person and is a human requesting it, and not a script or such trying to request it, and redirect the output to a place where someone else can get access to the new password, and steal someone's account...

Dark Tempest...

If you looking from something that works similar to md5, you can try out base64_encode() and base64_decode() - its not bullet proof by all means, but it could give you the desired results you looking for.