Getting passwords if lost...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
LostOne
Forum Newbie
Posts: 18
Joined: Wed Jul 28, 2004 3:21 pm
Location: Florida

Getting passwords if lost...

Post by LostOne »

I am using a script I found online for sessions and such. I use the following to encrypt users passwords before saving...

$encrypted = md5(md5($password).$salt);

Is it possible to get the password back; so as too email it to them incase they loose theirs? I have a bad feeling........
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Don't email them a password. Allow them to change it.

So, you could for example verify who they are by sending a link to their emailo addres so only they can access it.

They can then choose a new password and simply overwrite the old one.

I'd have a security keyword in your db (or typically a "Secret Question") to aid in this verfication.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

not without a lot of brute force work, pretty much.

if you search the board for md5 against the username Roja, you'll find many discussions as to what you can and can't really do.
LostOne
Forum Newbie
Posts: 18
Joined: Wed Jul 28, 2004 3:21 pm
Location: Florida

Post by LostOne »

thanks guys! Looks like I'll have to allow them to change their password.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

btw, why are you performing md5 on md5?
LostOne
Forum Newbie
Posts: 18
Joined: Wed Jul 28, 2004 3:21 pm
Location: Florida

Post by LostOne »

timvw wrote:btw, why are you performing md5 on md5?
from this here http://www.olate.com/articles/185 His explination is below.....


I will break it up into the two parts, firstly, it uses the md5() function to create a hash from the $password variable. Then, it uses the md5() function again, but this time it uses the $password hash, and the unencrypted $salt, to create a hash from the whole lot. This is a bit more secure than just having the following code:

$encrypted = md5($password);


guys name is Matt Eunson great stuff on the site!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

overall.. hashing a hash is less secure. Given any length original password, the hash will result in a finite length message which has known characteristics. Adding a salt does almost nothing.. especially since colliding an md5 isn't all that hard anymore.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

feyd wrote: ...especially since colliding an md5 isn't all that hard anymore.
Surely hashing a hash would decrease the enthropy of resulting hashes... but, if I remember correctly, to create a collision one would need to control both inputs. In other words, collision attack is useless to break passwords stored this way.
LostOne
Forum Newbie
Posts: 18
Joined: Wed Jul 28, 2004 3:21 pm
Location: Florida

Post by LostOne »

Thank goodness i have "NO" idea what you guys are talking about. I have not been programing in php long enough...... 8O
Post Reply