• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

PHP/MySQL - md5 passwords

bozley05

bozley05

NLC
NLC
I am creating a PHP script and using mySQL with it for the first time. I have been going along smoothly until my send password reminder... For passwords in the mySQL db i wanna have them in md5 format for security reasons, but because of this the password reminder e-mail sends the password in md5 format rather than the password the user types in.

Any ideas?
 
You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.
 
Originally posted by Canuckkev
You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.
Click to expand...

That's good thinking! Problem solved :)

Thanks :applaudin
 
well, generating a new password is a common method in retrieving lost password. since md5 is one way hash, in cannot be decrypted. consequently, a new password has to be generated when user loses his / her.

what to be considered deeply is to generate user friendly passwords. for example, mail.yahoo.com retrieving password by grabbing database which contains familiar words (with combination of special characters and alphanumerics) and pops a random password from the database. this is a better way instead of generating "meaningless" new passwords.

however, there is another way. that is to use two way hash. you can use, for example "base64_encode" and "base64_decode" combined with special function (to fuzzy up password cracker programs). with this method, user will never lose his / her password.

it depends on you to decide.
 
Another way would be to send a password reset link through email.
You generate a random password, store the MD5 hash in the database, create a password reset page and include a link like http://yourdomain.com/passwordreset.php?username=user&passreset=randompassword
If they click on it they get a page that asks them to choose a new password.

A lot of people will use the same password over and over for a dozen different things, so having it stored in a way that could potentionally allow someone to "hack" them isn't very secure.
 
Last edited:
its never wise to pass a password or username using get
Click to expand...

it depends on the system.
although it's unwise. the link is sent to user's email such that only hijackers (or some people right there) will feel interested in it.

advanced system will use intricate password recovery mechanism and we wouldn't talk about it here, right??
 
Originally posted by spec
its never wise to pass a password or username using get
Click to expand...
Considering it's only a one time valid only password that will get reset as soon as the page loads there shouldn't be a problem.
 
bozley05 said:
I am creating a PHP script and using mySQL with it for the first time. I have been going along smoothly until my send password reminder... For passwords in the mySQL db i wanna have them in md5 format for security reasons, but because of this the password reminder e-mail sends the password in md5 format rather than the password the user types in.

Any ideas?
Click to expand...

md5 encript in PHP is not same with md5 in MySQL
 
You must log in or register to reply here.
Back
Top