I am using a script I found online for sessions and such. I use the following to encrypt users passwords before saving...
$encrypted = md5(md5($password).$salt);
Is it possible to get the password back; so as too email it to them incase they loose theirs? I have a bad feeling........
Getting passwords if lost...
Moderator: General Moderators
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Don't email them a password. Allow them to change it.
So, you could for example verify who they are by sending a link to their emailo addres so only they can access it.
They can then choose a new password and simply overwrite the old one.
I'd have a security keyword in your db (or typically a "Secret Question") to aid in this verfication.
So, you could for example verify who they are by sending a link to their emailo addres so only they can access it.
They can then choose a new password and simply overwrite the old one.
I'd have a security keyword in your db (or typically a "Secret Question") to aid in this verfication.
from this here http://www.olate.com/articles/185 His explination is below.....timvw wrote:btw, why are you performing md5 on md5?
I will break it up into the two parts, firstly, it uses the md5() function to create a hash from the $password variable. Then, it uses the md5() function again, but this time it uses the $password hash, and the unencrypted $salt, to create a hash from the whole lot. This is a bit more secure than just having the following code:
$encrypted = md5($password);
guys name is Matt Eunson great stuff on the site!
Surely hashing a hash would decrease the enthropy of resulting hashes... but, if I remember correctly, to create a collision one would need to control both inputs. In other words, collision attack is useless to break passwords stored this way.feyd wrote: ...especially since colliding an md5 isn't all that hard anymore.