recycle password that hashed by md5 function

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • oranoos3000
    New Member
    • Jan 2009
    • 107
    #1

    recycle password that hashed by md5 function

    hi

    I have a page for registration in my site
    in this page after validation form I cashed password of user by function md5 and
    then this hashed password save in database
    I want to recycled the password
    of user for while the user forgot password
    and then mail to email user that entered at the time registration
    How do I recycle this hashed password
    so the password must be readable for user?
    thanks alot
    Tags: None
    • Markus
      Recognized Expert Expert
      • Jun 2007
      • 6092
      #2
      Originally posted by oranoos3000
      hi

      I have a page for registration in my site
      in this page after validation form I cashed password of user by function md5 and
      then this hashed password save in database
      I want to recycled the password
      of user for while the user forgot password
      and then mail to email user that entered at the time registration
      How do I recycle this hashed password
      so the password must be readable for user?
      thanks alot
      In short: you can't. You're using a hash, which means it's a one way street. Passwords should never be human-readable, not by or anyone. If they've lost their password, send a new, randomly generated password to their email account.

        Comment

        • xaxis
          New Member
          • Feb 2009
          • 15
          #3
          Well, there is a way but the effort involved may not be worth your while (not to mention your computing resources 'while'.

          Using a hash table (excuse the pun) of precomputed hashes (say every possible alpha-num combination up to 9 characters - same as your password policy) that use the string that produced a given md5 hash item as its index/key, you could then compare the lost password hash with the precomputed hash table and the matching hash in the hash table would return the users password (it would be the hash tables index/key), for after all a hash table is simply a 1-dimensional associative array.

          This is known as a rainbow table. After the time spent producing the table is complete, the matching (reversing) of a user's password hash could be done in about 1/2-1 hours for one lost password on say, your average desktop PC (this is an extremely rough guess based on 128 bit md5, the definition of "average desktop PC", and assumptions on the way things would be coded/implemented that are swirling about in my head).

          In crypto-speak the comparisons in the hash table that match, are known as collisions. You could also combine your collision detection algorithm with a birthday function (search probability theory or birthday attacks for info) you could then, on average reduce the time it takes to deduce a users lost password and in turn e-mail them the result in a semi-variable-reasonable amount of time. :) I need mention that all the original user password hashes should not contain a salt and be passed over only once by md5.

          So I guess I'll have to conclude: can you reverse an md5 hash? yes. Is it practical given your context: maybe/for you to decide. AND: Yes, I know. Technically speaking the hash is not being "reversed" in of itself, but the end result is the same.

            Comment

            • Markus
              Recognized Expert Expert
              • Jun 2007
              • 6092
              #4
              I'll change my answer.

              In short: you shouldn't. You, as a webmaster, should respect your users privacy.

                Comment

                Previous template Next
                Working...