I am creating a PHP script and using mySQL with it for the first time. I have been going along smoothly until my send password reminder... For passwords in the mySQL db i wanna have them in md5 format for security reasons, but because of this the password reminder e-mail sends the password in md5 format rather than the password the user types in.

Any ideas?

You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.

Originally posted by Canuckkev
You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.

That's good thinking! Problem solved :)

Thanks :applaudin

well, generating a new password is a common method in retrieving lost password. since md5 is one way hash, in cannot be decrypted. consequently, a new password has to be generated when user loses his / her.

what to be considered deeply is to generate user friendly passwords. for example, mail.yahoo.com retrieving password by grabbing database which contains familiar words (with combination of special characters and alphanumerics) and pops a random password from the database. this is a better way instead of generating "meaningless" new passwords.

however, there is another way. that is to use two way hash. you can use, for example "base64_encode" and "base64_decode" combined with special function (to fuzzy up password cracker programs). with this method, user will never lose his / her password.

it depends on you to decide.

Another way would be to send a password reset link through email.
You generate a random password, store the MD5 hash in the database, create a password reset page and include a link like http://yourdomain.com/passwordreset.php?username=user&passreset=randompassword
If they click on it they get a page that asks them to choose a new password.

A lot of people will use the same password over and over for a dozen different things, so having it stored in a way that could potentionally allow someone to "hack" them isn't very secure.

its never wise to pass a password or username using get

its never wise to pass a password or username using get

it depends on the system.
although it's unwise. the link is sent to user's email such that only hijackers (or some people right there) will feel interested in it.

advanced system will use intricate password recovery mechanism and we wouldn't talk about it here, right??

Originally posted by spec
its never wise to pass a password or username using get Considering it's only a one time valid only password that will get reset as soon as the page loads there shouldn't be a problem.

I am creating a PHP script and using mySQL with it for the first time. I have been going along smoothly until my send password reminder... For passwords in the mySQL db i wanna have them in md5 format for security reasons, but because of this the password reminder e-mail sends the password in md5 format rather than the password the user types in.

Any ideas?

md5 encript in PHP is not same with md5 in MySQL

md5 encript in PHP is not same with md5 in MySQL

it is the same...
and this thread is kinda 1 yr ago.