views:

1638

answers:

15

I have passwords stored in a database using md5, and was wondering if there was a way to reverse the hash to email the user's password to him in case they forget it.

If that's not the most appropriate method, what is the appropriate method for dealing with a lost password?

+56  A: 

You can't. The whole point of a hash is that it's one way only. This means that if someone manages to get the list of MD5 hashes, they still can't get your password. (Not that MD5 is as secure as it might be, but never mind.) Additionally it means that even if someone uses the same password on multiple sites (yes, we all know we shouldn't, but...) administrators of site A won't be able to use the user's password on site B.

Even if you could, you shouldn't email them their password - that's sensitive information which might remain sensitive.

Instead, generate a new, random password and email that to them, forcing them to change it on first login. Additionally, if you can, make that password expire after a short period (e.g. 24 hours) so that even if they don't change the password (because they don't log in), there's a reduced vulnerability window.

Jon Skeet
You've got so much rep you're making your answers wiki now? :)
Greg
Greg: Yup, until Monday. It's a rep holiday. I'm sure I'll get some from old answers, but I thought it would be fun.
Jon Skeet
Some people have weird hobbies, while others have to work :-)
Joey
Good on you Jon.
Daniel May
Thanks for answering, is there any other method for saving passwords that can be reversed in future time.
amir
Yes, there are other methods, but you need to understand what Jon said above - 'you shouldn't email them their password - that's sensitive information which might remain sensitive.' - at the lowest level, emails can be intercepted and sensitive information can be retrieved. A password should stay as secure as possible - usually by keeping it as a hash only in a database.
Daniel May
Let us know on meta whether you still hit your rep cap
Greg
And also the fact that if the password can be reversed, that means anyone who gets access to your database can get at users' passwords. *Not* a good idea. One way passwords should be the norm; only keep the real password (even encrypted) if you absolutely *have* to (e.g. to authenticate with another system which doesn't have anything token-based).
Jon Skeet
24 hours is a lot of time. I would reduce that to 10 minutes or so. That would be enough even if you first need to login to your e-mail account.
Gumbo
@Gumbo: When would you start the timer though? Giving only 10 minutes doesn't allow for server-lag, what if the email wasn't sent instantly?
Daniel May
I've seen antispam-measures where the receivers webserver denies an incoming mail just to wait for the sender's mailserver to retry (spambots usually only try once). That could easily exceed your 10 minute timeout.
Simon Svensson
@Gumbo making it one-time-use is more important than the timeframe. If there is a man in the middle or someone with access to the user's email, it's a simple race with no advantage to either party. We should assume we lose - the next best thing is knowing right away something is wrong because the one-time-use password already got used.
Rex M
This reminds me of a story I heard about a guy who never bothered with passwords at all, he just got the recovery systems to generate a fresh one every time he needed to log in.
JonB
+9  A: 

Not possible, at least not in a reasonable amount of time.

The way this is often handled is a password "reset". That is, you give them a new (random) password and send them that in an email.

mgroves
If the hash wasn't salted, you'd be surprised how often all it takes is a google search for the hashed value...
Michael Borgwardt
Not really practical for a password retrieval system though, even an unsalted one :)
mgroves
+6  A: 

MD5 is a hashing algorithm, you can not revert the hash value.

You should add "change password feature", where the user gives another password, calculates the hash and store it as a new password.

Svetlozar Angelov
+5  A: 

There's no easy way to do it. This is kind of the point of hashing the password in the first place. :)

One thing you should be able to do is set a temporary password for them manually and send them that.

I hesitate to mention this because it's a bad idea (and it's not guaranteed to work anyway), but you could try looking up the hash in a rainbow table like milw0rm to see if you can recover the old password that way.

Bill the Lizard
+10  A: 

Technically, it's 'possible', but under very strict conditions (rainbow tables, brute forcing based on the very small possibility that a user's password is in that hash database).

But that doesn't mean it's

  • Viable
    or
  • Secure

You don't want to 'reverse' an MD5 hash. Using the methods outlined below, you'll never need to. 'Reversing' MD5 is actually considered malicious - a few websites offer the ability to 'crack' and bruteforce MD5 hashes - but all they are are massive databases containing dictionary words, previously submitted passwords and other words. There is a very small chance that it will have the MD5 hash you need reversed. And if you've salted the MD5 hash - this wont work either! :)


The way logins with MD5 hashing should work is:

During Registration:
User creates password -> Password is hashed using MD5 -> Hash stored in database

During Login:
User enters username and password -> (Username checked) Password is hashed using MD5 -> Hash is compared with stored hash in database

When 'Lost Password' is needed:

2 options:

  • User sent a random password to log in, then is bugged to change it on first login.

or

  • User is sent a link to change their password (with extra checking if you have a security question/etc) and then the new password is hashed and replaced with old password in database
Daniel May
+6  A: 

You can't revert a md5 password.(in any language)

But you can:

give to the user a new one.

check in some rainbow table to maybe retrieve the old one.

Nettogrof
Nix the rainbow table idea. If you're salting -- and you should be -- then it wouldn't work, anyhow.
Steven Sudit
+4  A: 

MD5 is a one way Hash function. Sorry!

Davie
+1  A: 

Reverting the MD5 would yield multiple passwords also.

Carles
+5  A: 

See all other answers here about how and why it's not reversible and why you wouldn't want to anyway.

For completeness though, there are rainbow tables which you can look up possible matches on. There is no guarantee that the answer in the rainbow table will be the original password chosen by your user so that would confuse them greatly.

Also, this will not work for salted hashes. Salting is recommended by many security experts.

Dinah
+1  A: 

MD5 has its weaknesses (see Wikipedia), so there are some projects, which try to precompute Hashes. Wikipedia does also hint at some of these projects. One I know of (and respect) is ophrack. You can not tell the user their own password, but you might be able to tell them a password that works. But i think: Just mail thrm a new password in case they forgot.

dz
+1  A: 

There is no way of "reverting" a hash function in terms of finding the inverse function for it. As mentioned before, this is the whole point of having a hash function. It should not be reversible and it should allow for fast hash value calculation. So the only way to find an input string which yields a given hash value is to try out all possible combinations. This is called brute force attack for that reason.

Trying all possible combinations takes a lot of time and this is also the reason why hash values are used to store passwords in a relatively safe way. If an attacker is able to access your database with all the user passwords inside, you loose in any case. If you have hash values and (idealistically speaking) strong passwords, it will be a lot harder to get the passwords out of the hash values for the attacker.

Storing the hash values is also no performance problem because computing the hash value is relatively fast. So what most systems do is computing the hash value of the password the user keyed in (which is fast) and then compare it to the stored hash value in their user database.

Kage
A: 

You can Google for a md5 hash and see if there is and see if you can find it's original value. Ex: say someones password is "admin": Google Result for "admin" hash

SeanDowney
A: 

I also came across this http://code.google.com/p/kalgecin/ that has a Perl based crack.pl tool. I am testing it now and it has been running for about 10 minutes on a simple MD5 hash.

meme
+1  A: 

It's already mentioned multiple times that this is poor practice.

But, in the interest of possibilities, there are web tools that do MD5 reverse lookups.

One such tool has a web UI and an API: http://tools.benramsey.com/md5/

spoulson
Ack, this site was already mentioned in the comments. Oops.
spoulson
+1  A: 

The only thing that can be work is (if we mention that the passwords are just hashed, without adding any kind of salt to prevent the replay attacks, if it is so you must know the salt)by the way, get an dictionary attack tool, the files of many words, numbers etc. then create two rows, one row is word,number (in dictionary) the other one is hash of the word, and compare the hashes if matches you get it...

that's the only way, without going into cryptanalysis.

berkay