Forgot Password!

Anon

Hi,

I have a database which has a list of users and password. Now i have a function which mails the user his password if he forgets his password.

The problem now is, i am planning to use the password function to store the password. This means the password will be encrypted in the database.

How do i mail the user his password ? Or give me some other method wherein i can show the user his password.

Thanks,
Karthik.

kparker

You can't; it's actually hashed rather than encrypted, so there is no way (other than brute-force cracking) to recover the stored password.

As an alternative, consider sending the user a one-time magic access token (e.g. a long string created by md5(uniqid()) or something) that is tied to their account. They must use this to gain access to the password-change page and then can reset their password to whatever new value they like. For extra safety, require the "magic" access to be from the same ip address and port as the forgot-password request; that will make it harder (though not impossible) for a third party to request the change and then view the access code in transit.

chowdary

Hi,
Yes,there is no way you can decrypt the password encrypted using PASSWORD() function.
If you want to save the password encrypted in your MySQL database the password field must be of BLOB data type.
You can use the ENCODE and DECODE functions to ENCRYPT and DECRYPT

Here is how you can do it
Ex table: users

    Name(VARCHAR)  Pwd(BLOB)

To ENCRYPT

$qry="insert into users values('$name',ENCODE('$password','sweetie'))";

Here "sweetie" is my password to DECRYPT.
Note that this PASSWORD is your password to ENCRYPT and DECRYPT not users.

To DECRYPT

$qry="select DECODE(Pwd,'sweetie') as Password from users";
Pwd--is the field name in database
Notice that you need to use your password(which has been used to encrypt) to DECODE

The rest is as usual........

Hope this gives you an idea....

Anon

Hi,

Thanks a lot... i will try it out.

Karthik.