I am currently using MD5 encryption for storing the password in database.Before we dont have the function for forgot password.But now we are implementing the forgot password.So I cant decrypt MD5 and send password to user.But I can do if it is encrypted in base64.Now I am little bit confused which is best encrption method.
I already did the client side validation for strong password(Like 8char length,special characters etc).
views:
79answers:
4
+9
A:
Base 64 is not an encryption mechanism, it is an encoding scheme. It is easily reversed, so it is not a good choice for protecting critical data.
The common approach for passwords is to hash them with something like MD5, and then store the hash. When the user logs in again, hash the input password, and compare that to the stored hash.
If the user forgets his password, you should not be able to tell him what it is. Instead, allow him to reset it to something else (presumably something he can remember).
Also, as @Phil Brown mentions, MD5 is not considered a strong encryption mechanism. SHA-1 would be better suited for this task.
Base 64 encoding is generally used to transmit binary data over a mechanism that only allows ASCII text.
pkaeding
2010-10-22 04:44:56
The common approach for forgotten passwords is to reset it, send the user the new password and force them to change it when they login. Also, SHA1 is a stronger hashing algorithm than MD5
Phil Brown
2010-10-22 04:46:56
at this forgot password time whether I can get the password once again?
vinothkumar
2010-10-22 04:46:59
@vinothkumar: You don't. You randomly generate a completely new password for them - not of their choosing. In addition, once they get their password reset, I'd consider locking the account if they fail to change their password after some period of time, since e-mail is sent in clear text.
Merlyn Morgan-Graham
2010-10-22 04:57:00
+5
A:
Base64 is not encryption, it is an easily reversible encoding mechanism. MD5 is a one-way cryptographic hash, though its use is not recommended because it is cryptographically weak.
For your needs you probably want to store the hash of the password (better with salt), probably using SHA-256 or better. When users forget their password, you generate a random one-time use password for them and force them to recreate a password, or just make them do it after verifying some credentials.
birryree
2010-10-22 04:46:29
+3
A:
Base64 and MD5 are not encryption methods. Base64 is simply a way of encoding characters, which provides absolutely no security - it is as good as storing the password in plain text. MD5 is a hash function, which means it is one-way and cannot be decrypted.
Hashing is definitely the way to go. MD5 is okay, but you should switch to a more secure function such as SHA-256.
As for a "forgot password" feature, never store the user's password and send it back to them. Instead, generate a (random) temporary password for them so that they can login and change it.
casablanca
2010-10-22 04:48:20
A:
Best practice is to store the password hash using MD5 as you are now (or even better SHA256).
Don't do password recovery. Instead, when a user forgets their password, create a new random password and send it to them. They can then login and set the password to something they prefer. Much more secure.
Andrew Cooper
2010-10-22 05:01:45