hash

Anon

After the user make registration,
the userid and password will be hashed and
store in database using php hash function.

So, when the user forgot his/her password,
how i let them know their password(since
the password was hashed) ?

For example :
User Enter Password : mickey
Password that hashed and store in database:
xmdfj12jojlgh9

if i retrieve this password from database and send to the user who forgot password then in his mailbox will show this :
xmdfj12jojlgh9 instead of mickey.

Is it possible return mickey to him ?

thanks for answering.

Anon

Yeah... write a brute force cracker and crack the password.. then send it to him...

hehe...
That's the only way it can be done

Andreas

Anon

md5() is a one-way hash, like a sausage grinder. You can't run it backwards and recreate the pig. Generate a new password for the user and mail that to the user, asking him to come change it ASAP.

Anon

You do want to include some kind of sanity check to ensure third-parties have a difficult time mounting a denial-of-service attack by entering an email-me-a-new-password request for other users. In a recent project, we decided to use a completely separate "magic string" (using uniqueid) and allowing the user to access their account via this string as an alternative to using their password (with a fairly short timeout in place.) That way, the actual password doesn't change w/o the user knowing it, and if a malicious third party enters a change-request, it just quietly expires.

Anon

Ok, i will recreate the password and send to
them.

but this hashed password, is posible crack
by cracker if they able to get the
hashed password ?

Anon

The built-in md5 is not very strong, but it's better than crypt and definitely better than anything home-made. If you need better security, install the mhash module and you can have your choice of a number of stronger hash functions.

Anon

Why are you talking so much about md5()..

mike said that the hash was xmdfj12jojlgh9 and that means it's not md5 hash (md5 got 16 characters and the only characters that is alowed are 0-9 a-f (heximal chars)).

Anyway... as i said, you'll need a brute force/dictionary cracker to crack that kinda password, and there are a lot of these crackers out there. and the password could probably be cracked in under 24 hours.

but still.. it's one of the most secure ways to protect a site.. We use cryptocard on one of our servers and to my knowlege that is proabably as secure as you get it. But remember, no system is hack proof.

Andreas

Anon

xmdfj12jojlgh9, this hashed is just an
example.

I know there is no system is hack proof,
but at least we narrow down the possibility.
right ?!

And i'm rent a host from ISP, so if they
didn't install some neccessary library,
i also couldn't use for example mhash(),
since i dont have authority for it.

Thanks you guys for all the information
give, i get a lot of idea implicitly as well
explicitly.