Getting Password

x3graphics · #1 (**permalink**) 04-20-05, 04:55 PM

Hello everyone,
I am new to php/mysql and this forum. I have started to create a site with a user login, which has worked fine so far, but I am trying to create a script for when someone forgets their username or password for the site. When I try to select the password in my sql I get the hashed value. How do I get the actual password. I have been searching on the web to see if it is possible, but haven't come up with anything. If this isn't possible what is the best way to get around this.
Thank You,
x3graphics

djwayne_2004 · #2 (**permalink**) 04-20-05, 05:13 PM

Hi x3graphics,

Depends on how the passwords are encryped, if you could post the script here we can help you more. There are many methods that you could use to create a "forgot your password" script, try looking for one on Hotscripts if not then i can help you out.

Kind Regards

Wayne

moronovich · #3 (**permalink**) 04-20-05, 07:03 PM

hi x3graphics,
maybe the password is stored in one way hash. if it's so, there's no such way to retrieve lost password. instead, you should make a page/section where user can ask for new password.

x3graphics · #4 (**permalink**) 04-21-05, 02:53 AM

I used the mysql password function. So I am guessing that it is a one way hash. I don't remember reading about only one way hashes, i figured that I would be able to bring the hashed value back to its original value. I guess I could just make the user reset the password. For future reference how would I create a password that would be a two way hash.
Thank you
x3graphics

FiRe · #5 (**permalink**) 04-21-05, 06:50 AM

Go to your table and browse it, study the password field for each user. If its a load of random letters and numbers its most likely encrypted in md5 in which case for the lost password feature you have to create a random new password and encrypt it. If the passwords are not encrypted then you can just echo it, though its less secure if its not encrypted in the database. I recommend you take a look at http://www.xeweb.net/tutorials/user_...dex.php?page=6

moronovich · #6 (**permalink**) 04-21-05, 09:58 AM

Quote:

Originally Posted by x3graphics

I used the mysql password function. So I am guessing that it is a one way hash. I don't remember reading about only one way hashes, i figured that I would be able to bring the hashed value back to its original value. I guess I could just make the user reset the password. For future reference how would I create a password that would be a two way hash.
Thank you
x3graphics

mysql password is one way hash. if you want to use 2-way hash, you can try AES Rijndael 128-bit (symmetric encryption) or even RSA encryption (asymmetric encryption with private and public key)

link to mysql encryption functions http://dev.mysql.com/doc/mysql/en/en...functions.html

tips:
1. further reading: Bruce Schneier, Applied Cryptography
2. RTFM is the ultimate resource.

off topic:
The Da Vinci Code, a good novel to read..

FiRe · #7 (**permalink**) 04-21-05, 10:46 AM

or use blowfish, i use it but u need PEAR 2 support it!

x3graphics · #8 (**permalink**) 04-21-05, 12:46 PM

So I am going to use this aes_encript function, but I am not sure how to use it. My previous sql command was:

insert into auth_user values ('','$_POST[f_name]','$_POST[l_name]','$_POST[user_name]', password('$_POST[user_pass]'),'$_POST[user_priv]','$_POST[email]', now(), now())"

Could someone PLEASE rewite it with the new fuction
Thank you
x3graphics