Ok. thats clear that one must store hashed password in the database but in case a user does not remembers the password and want to retrieve it back, then obviously the user wont like to have the hashed password. If the password is hashed with md5 or additional like salt and sha1 then how to retrieve back the password.
+14
A:
There is but one simple answer: You cannot.
Well, theoretically you could, but it could take many years per password if they are long enough. After all, that is the point of hashing passwords in the first place: to make the data effectively useless to an attacker (or at least protect the user's plaintext password, which is sensitive data.)
Just have the site send a "change your password" email containing a link to a page where that user can change his/her password. This is how most professional sites handle this dilemma.
hb2pencil
2010-09-01 06:05:50
and this is why the password strength of most professional sites is equivalent to the password strength of the email account you use to sign up for it!
Peter Ajtai
2010-09-01 06:16:20
That's true :) It still beats security questions for this though.
hb2pencil
2010-09-01 06:19:41
@hb2pencil http://tools.benramsey.com/md5/ md5 hash reverse tool. Good passwords probably won't exist in the db however.
Ben Rowe
2010-09-01 06:21:50
@Ben That site could be useful as a component of a password-screening process. I.E. If the new password's MD5 hash is in the DB, have the user create one that is more secure! :)
hb2pencil
2010-09-01 06:28:49
If you use a per-user random salt, sites like that are irrelevant.
Matthew Flaschen
2010-09-01 06:33:27
+4
A:
This is meant to be intractable. Thus, you usually have to provide some way of resetting it. Sending a special link to the user's email is common, though it reduces your security to that of the email account.
See Forgot Password: what is the best method of implementing a forgot password function? .
Matthew Flaschen
2010-09-01 06:07:32
+3
A:
The security of hashing instead of encrypting the password is that you cannot reverse a hash. If you could unhash the password and give the user their plain text password, then any hacker can reverse the hashed password you use for registration and sign in and "dehash" it to get the user's password.
This is a feature, not a bug.
chustar
2010-09-01 06:08:33
+1
A:
hashing itself stands for "cannot be retrieved back".
If a user cannot remember their password, they don't need this one for sure.
Just create another random one and send them.
Not a big deal.
Col. Shrapnel
2010-09-01 06:11:55
A:
yes..one may forgot his/her password..the good practice while using hashed password would be to make the user type the email address of the account whose password he/she want to reset then the system will reset the users password with another generated password. The MD5 like hashed password is almost impossible to retrieve the original password from the hashed one
Rahul TS
2010-09-01 06:16:59
A:
Always beware sites that can e-mail you the password you use. That means your password is easily seen by anyone who has access to the password database, which is especially dangerous if you reuse passwords.
For password resetting, I recommend using 'safe questions' with answers that are also encrypted.
It behooves all those who operate websites to keep their customers reasonably safe from hackers.
Sledgehammer
2010-09-01 06:32:39