forgot my password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

forgot my password

Post by fresh »

hey,

Im looking to do a forgot my password script, I md5'd the passes, and have the algorithm, to decrypt it back, but my questions concerns the scripting and sql querying, how would I go about doing this...? All help is appreciated... :)
zenabi
Forum Commoner
Posts: 84
Joined: Mon Sep 08, 2003 5:26 am
Location: UK

Re: forgot my password

Post by zenabi »

fresh wrote:I md5'd the passes, and have the algorithm, to decrypt it back
I was under the impression that md5 was a one-way encryption, just how easy is it to decrypt md5?
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

See the first user comment here
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

well

Post by fresh »

if you have the algorith that encrypted it, then purhaps you can decrypt it, by reversing it???
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

hey

Post by fresh »

i have a script which does that already, I was asking how to query the db for the row with the columns according to the email they present, I suppose thats how it works, however I have no clue how to query the db for that pass, concerning the users inputted email... thanks
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

i would get them to put ih their username into a form and when submitted:


Code: Select all

<?php

if (isset($_POST["submit"]))
{
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'");
$row= mysql_fetch_array($result);

$password = $row["password"]; // this is the password column name

//descryption of your md5 pw goes here

$email = $row["email"];
$subject = "Your Password";
$body = "Your password is $password";

mail($email, $subject, "$body");
}
else
{
echo '<form name="" method="post" action="">
  <input type="text" name="user">
</form>';
}
?>
Last edited by John Cartwright on Tue Jul 06, 2004 6:39 pm, edited 3 times in total.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

phen, you forgot a $ for the subject var.

MD5 is not an encryption tool, its a hashing system. You cannot get the PW back.

read up on it in the wiki section.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

ty tim..

well in that case md5 cannot be decrypted

Code: Select all

<?php

if (isset($_POST["submit"])) 
{ 
$result = mysql_query("SELECT * users WHERE user='".$_POST["user"]."'"); 
$row= mysql_fetch_array($result); 

if ($_POST["email"] == $row["email"])
{

//jus do whatever randomizing function or method you want...
//in this case ill just use a 10 digit number
$password = rand(1000000000,9999999999);

$update = mysql_query("UPDATE users SET password='$password' WHERE user='".$_POST["user"]."'");

$email = $row["email"]; 
$subject = "Your Password"; 
$body = "Your password is $password"; 

mail($email, $subject, "$body"); 
}
else
{
echo "You have entered an invalid password";
}
} 
else 
{ 
echo '<form name="" method="post" action=""> 
  <input type="text" name="user"> 
  <input type="text" name="email"> 

</form>'; 
} 
 
?>
this will generate them a new password which is 10 digits..
i recommend you use something else than their email to prove their identify to get a new password generated.. but its a start :P
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

thank you

Post by fresh »

all for all your help, I will ponder my methods for a day, because this is something quite new to me, and I am not use to having an option...lol, again thank you guys for your help... :)
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me. Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force). PHP.net users have suggested a good alrenative:

Code: Select all

$password = strrev(md5(md5(strrev(md5($inputpass)))));
Be sure to use this everywhere on the site. ;)

Good luck!
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

evilmonkey wrote:I have to add a comment about md5(). It is very very very easy to hack into. If I have an md5() hash (under 6 characters), I can crack it in under 5 minutes, and I'm not even a hacker, and this stuff doesn't interest me.
short passwords are insecure by definition, regardless of hashing algorithm used.
evilmonkey wrote: Don't use it to store super-sensitive data such as credit card info or bank PINs. (PIN: 4 characters, this about how easy it is to brute-force).
why would you hash pins or cc numbers at all? =)
evilmonkey wrote: PHP.net users have suggested a good alrenative:

Code: Select all

$password = strrev(md5(md5(strrev(md5($inputpass)))));
Be sure to use this everywhere on the site. ;)
It isn't more secure than plain simple md5.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

Weirdan wrote:It isn't more secure than plain simple md5.
Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).

Besides that, it's just as easy for a brute force hack, all it does it increase CPU load.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

to add

Post by fresh »

I know very well the weakness of md5, however, a little protection, means alot... especially to me, for I know it means alot to my users, so that's why I do it, 32 bit... The users I serve has been schooled on this and I urge them to pick misspelled words with both numbers and letters over 6 chars long... for example, If I make a pass, lets say gitsumdata as a pass, it would take very long to brute force... but like someone said, if it is something like, bird, then that would take about 2 mins to crack, if not less... I think I'm going with the new password, and make it valid only if they follow the link in their email, that way, other users, can't mess with peoples accounts, too much.. ;)

thanks guys for the help :)


P.s. I'm going with Phenom's script, one question, do I need to add a reference to my db, host, my user name, password, etc... first, within the same script? Or will this script due ok without it?

Thanks again guys
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

LiLpunkSkateR wrote: Agreed, the only way it would make it harder to crack is if they submitted it to that password site that uses a network of computers to crack md5 values to text. (cant think of the URL).
http://passcracking.com/ ? ;)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

That's the one.

Stupid site.. *grumble grumble*

lol
Post Reply