Welcome Guest, Not a member yet? Register   Sign In
MD5 Newbie question
#1

[eluser]brixxster[/eluser]
Hello guys.

I have successfully saved the password converted to MD5. but now I have to send this password to the client, how do I revert to human readable form the password that I just saved to the database?

Thanks in advance guys.
#2

[eluser]davidbehler[/eluser]
md5 is a hashing function that cannot be reversed.
Are you planning on creating a "Forgot password?" function and what to send the user his original password? That can't be done using md5 hashing.

What you can do is this:
1. Encrypt and decrypt the password using the CI encryption library
or
2. Keep using md5 and instead of sending the original password just generate a new one
#3

[eluser]skimmas[/eluser]
You can't decrypt an md5 string, that's the point of encripting it.
If you want to see that the user is sending the right password you have to pick that password string is sending, encrypt it and than compare with the string you have stored.

You can see a nice screencast on how to make a very simple login system @ http://net.tutsplus.com/videos/screencas...y-6-login/

If you're a newbie it might be helpful to watch the whole series at nettutsplus
#4

[eluser]n0xie[/eluser]
[quote author="skimmas" date="1265467477"]You can't decrypt an md5 string, that's the point of encripting it.[/quote]
Actually...

Encryption is used to obfuscate a certain message unless you know the way it was obfuscated (called a cipher). By definition this means that an encryption should be reversible.

What you are referring to is a one-way-hash function, which is by definition NOT reversible.

Not trying to nitpick, but if you want to explain these two algorithms to beginners, it's vital to be exact and precise so you don't confuse them.
#5

[eluser]brixxster[/eluser]
Thanks for your reply guys.

I guess I have to rethink the membership process then. The way my client wants it is to have each member's password displayed in the admin area so that whenever one of the members request to have their password sent back to their email he can do so by searching the member's ID.

@waldmeister: Thanks for your suggestion. Password reset seems like the logical method.

@skimmas: I saw Jeff Way's video tutorial. I actually finished all 7 videos before I started coding in codeigniter. I'll definitely go with password reset in case of forgotten password.

@n0xie: You're right. Is there a cipher function included in CodeIgniter?

Thanks for help again guys. Newbies like me need your guidance and I thank you for sparing some time to answer each of newbie question. However stupid it may sound. Smile
#6

[eluser]JoostV[/eluser]
Quote:The way my client wants it is to have each member’s password displayed in the admin area so that whenever one of the members request to have their password sent back to their email he can do so by searching the member’s ID.
That sounds like your clients wants to send forgotten passwords by hand :ohh:

You could create a reset password routine, there's no need to send forgotten passwords.

1. visitor requests reset by filling in their username
2. a confirmation email with a reset code is automatically sent to the known email address. You can store the confirmation code (Sha1 hash) in the user's profile, along with an expiration timestamp
3. If the visitor clicks the link in the confirmation e-mail he is taken to the password reset page, like /reset/confirm/[hashcode]/[username]
4. The reset page checks the username, hascode and expiration time.
5. If all is well, the password is reset to a random string
6. The reset page saves the new password and sets the reset hashcode and expiration timestamp to NULL
7. The reset page automatically sends an e-mail to the visitor containing the new password
#7

[eluser]n0xie[/eluser]
[quote author="brixxster" date="1265547431"]
@n0xie: You're right. Is there a cipher function included in CodeIgniter?
[/quote]
Although I would do the reset password differently (see Joost V's post), sometimes clients just want things done 'their' way, in which case all you can do is try to make the best of it. If your client really wants to have a list of all the passwords available, you should use encryption at least. CodeIgniter has an encryption class which might be of use to you.

Personally I would try to persuade the client to just use hashes, since everyone else is doing it.




Theme © iAndrew 2016 - Forum software by © MyBB