Jump to content
MakeWebGames

Password Recovery

Snatchy

By Snatchy
in General Discussion

 Share

Recommended Posts

Snatchy Newbie

Snatchy

Posted
  • Author
Posted

Re: Password Recovery

does anyone know how to make the script decode the md5 encryption so it sends the password and not just the encrypted password so thye don't have to go to another site to decode their password?

Tonka Newbie

Tonka

Posted
Posted

Re: Password Recovery

Their is no actual function or script that exists to decode an MD5 hash, all those websites do is check a database of hashes to see if someone has already hashed that word into MD5. The best/secure option for a forgot password page is to reset them and send the user a new password.

CtrlFreq Newbie

CtrlFreq

Posted
Posted

Re: Password Recovery

 

Their is no actual function or script that exists to decode an MD5 hash, all those websites do is check a database of hashes to see if someone has already hashed that word into MD5.

And that's the reason we salt our hashes :-D

Haunted Dawg Newbie

Haunted Dawg

Posted
Posted

Re: Password Recovery

 

Their is no actual function or script that exists to decode an MD5 hash, all those websites do is check a database of hashes to see if someone has already hashed that word into MD5.

And that's the reason we salt our hashes :-D

 

Can i see your salt hashing system?

Tonka Newbie

Tonka

Posted
Posted

Re: Password Recovery

 

Their is no actual function or script that exists to decode an MD5 hash, all those websites do is check a database of hashes to see if someone has already hashed that word into MD5.

And that's the reason we salt our hashes :-D

 

i also salt my hashes for that same reason

CtrlFreq Newbie

CtrlFreq

Posted
Posted

Re: Password Recovery

 

Can i see your salt hashing system?

No, because that would expose how we're salting, but here is the generic idea:

First create a function:

 

function SaltPassword ($salt, $password) {
   $saltedpass = md5($salt . $password);
   return($saltedpass);
}

 

This way when you commit a password to the database, you just commit it salted, and when users authenticate, you salt their input and compare against the hash, ie:

 

// Set the password
$sql = "update users set password='" . SaltPassword($salt, $password) . "' where user_id=" . $sql_safe_user_id;

// Authenticate
$sql = "select user_id from users where username='" . $sql_safe_username . "' and password='" . SaltPassword($salt, $password) . "'";

 

Make sure your salt will always be the same per user (ie. use a substring of, or md5 hash of their username as the salt, and not something volatile like their IP address), and you'll be set.

Since you're just generating a hash anyhow, it's no trouble to rip the string down to 15-20 characters, or otherwise modify the hash in your SaltPassword function to make it stronger, ie:

 

function SaltPassword ($salt, $password) {
   $saltedpass = substr(md5($salt . strrev($password) . md5($salt)), 5, 15);
   return($saltedpass);
}
Guest Anonymous

Guest Anonymous

Posted
Posted

Re: Password Recovery

 

Their is no actual function or script that exists to decode an MD5 hash, all those websites do is check a database of hashes to see if someone has already hashed that word into MD5.

And that's the reason we salt our hashes :-D

 

No, it's not. Think again. This is really a no-brainer.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...