Page 1 of 1

forgot my password

Posted: Thu May 08, 2003 7:47 pm
by matecocido
How can I decrypt a password made using password() to send the famous mail with "your passowrd is ...". Sorry, I'm talking about MySQL. Anyway, can someone answer me?
Thanks buddies!

Posted: Thu May 08, 2003 9:26 pm
by volka
Sorry, I'm talking about MySQL
right, therefor this topic is here now

http://www.mysql.com/doc/en/Miscellaneous_functions.html#IDX1340
PASSWORD() encryption is non-reversible.
sorry ;)
But if you have another account with proper permission you might simply overwrite the old password
http://www.mysql.com/documentation/mysq ... #Passwords

Posted: Thu May 08, 2003 9:54 pm
by matecocido
Thank you volka. I read what you prompted and saw that I was using the wrong function. I'll use some of the others functions for my users, such as md5(), sha1() or aes_encrypt() which do have an decrypt equivalent.

Posted: Thu May 08, 2003 10:01 pm
by volka
you're looking for encryption. md5 and sha1 are hashs that are non-reversible, too
http://www.mysql.com/doc/en/Miscellaneous_functions.html#IDX1349
AES_ENCRYPT() and AES_DECRYPT() were added in version 4.0.2
Hope your mysql-version is up to it ;)

Posted: Sat May 10, 2003 11:20 pm
by matecocido
So I should use encode()/decode().
It's not so secure I supose, but it's the only option I have If I want to be able to decode. I'm using version 3.23.53. Am I right? :?

Posted: Sun May 11, 2003 12:10 pm
by ReDucTor
I recommend:

You have a field in your table which contains a code if they are requesting a password, this field is cleared on login, and is set on requesting password, it is set with a random value that is emailed, then the email sends them to the site to get it checked, if they got the right code they can specifiy a new password to be used that will overwrite the old.

Posted: Sun May 11, 2003 1:21 pm
by m3mn0n
If all else fails, create your own encryption system. This idea might have it's opposition, but it's safe as long as you keep the decrypton source function safe.

:wink:

Posted: Sun May 11, 2003 6:23 pm
by Coco
for me... the best solution is probably the first one....
over-write it.

on my site.... we found that the average user wasnt mature enough to do it however (they were getting new passwords mailed to everyone and anyone) so we have a new-password script that over writes a users pass and mails it to them that is only accessible by admins....

quick easy and simple... but remember to use a prefix for your encryptions :P

Code: Select all

<?php

$prefix = 'put here unpredictable string';
$pass = $prefix . $pass;
$pass = md5($pass);
?>
Of course, you cant retreive the password after this is done... but would you want to give that much power to someone?

Posted: Sun May 11, 2003 7:29 pm
by hob_goblin
most places email you a confirmation email and then if you accept a new password is written...

Posted: Tue May 20, 2003 6:14 pm
by matecocido
:D
hello, I spent some days without logging.Now I see many usefull suggestions. I am not sure wich one I'll finally use. may be I'll overwrite the old password or I can have my own encryption algorithm, but I want to thank you all for your support and advice.