I have passwords for members on a site encrypted using MD5 and stored in the database. I want to implement a lost password functionality where the user will be emailed their credentials if they forget them. But how to output the unencrypted password or is it one way encryption and hence impossible?


md5 is a one-way encryption/hashing function. Once hashed, a string can only be compared to it's hashed version and not decrypted.

+14  A: 

MD5 isn't encryption - it's a one-way hash. You can't (theoretically you can, but you can't in any reasonable amount of time) reverse a one-way hash, so you just need to set a new password and email it to them as a temporary, and/or just provide them a link to reset their password.

Nick Bastin
Actually what you describe isn't reversing the hash. The best you can do is find a plaintext that hashes to the same value. Asserting that what you find is the same as the original (and not simply a hash collision) assumes more than you actually know.
Sure, but it doesn't actually matter - as soon as you can find plaintext that hashes to the same value, you can defeat it.
Nick Bastin
@Nick Well if the intention of attempting to reverse the hash is to retrieve the original text and not a different one that works then it does matter.
+3  A: 

The point of using a one-way hash is to prevent exactly what you are trying to do. If you can read the plaintext password, then anyone who gets a hold of your database can too. Hint: what do you do with old backup media? Throw them in the trash? Criminals have been known to dumpster-dive for backups.

Instead of sending the user's password back to them, set up a system so they can reset their password. Read up on some articles about this before implementing it.

Bill Karwin
+2  A: 


You can't recover the original password from the MD5 hash. It's a one way hash function.


You shouldn't be providing them with the plain text password. What you should do instead is either allow them to change the password, or generate a random one for them to use and then force them to change it.

Josh K
+2  A: 
  1. You shouldn't use MD5. Use sha1 and use also a salt, there is a lot of information on the internet.

  2. The purpose of hashing the password is exactly that. It is used because the original password can't be gotten (theorically) so the password would be saved securily and it can be used to check if the password is correct easily.

  3. Allmost all websites chose to generate a new password and send it by email as the forget password mechanism.

Even SHA-1 is rapidly becoming deprecated for new deployments, in favour of the SHA-2 family.
+2  A: 

md5 is known to be entirely too weak to protect against malicious behavior. (Wikipedia lists a 2^24.1 complexity attack.) That's seconds of CPU time. 1000 executions of md5 on my /etc/passwd takes 1.2 seconds -- and that's a fork(), exec(), open(), read(), and write() for each one, cause I'm lazy enough to just do a shell script. If I cared, it'd be different.

Even sha-1, md5's replacement, has enough known flaws that new applications should be deployed with hashes from the sha-2 family instead.

When the replacement has been replaced, it's time to move on. :)

I've never heard of that weakness in MD5 before... And I thought SHA-512 just made it harder by making attacks just take forever, not actually more secure. Hmmm.. I learned something today. +1

While it has been pointed ou that md5 is a hashing function, a function that takes a password and returns a string eg. f(password) == hash.

It IS possible to calculate a password that when put through this function that gives the same hash e.g f(password) == hash == f(password")

This is normally done by precaculating all of the possible passwords and storing the hashes of these in a rainbow table (See Wikipedia entry). It is possible to download such rainbow tables but they are HUGE!

You may not recover the same password that the user originally used due to collisions in the hashing function.

Jonathan Stanton