Decription password

[eluser]ravi_kachh[/eluser]
Hello friends,

I am using Tank-auth library for storing infoamation in database.
This library uses PasswordHash class to encrypt the password... can anyone let meknow that how can i decrypt my stored password to original form?

Thanks,

[eluser]mddd[/eluser]
I don't know this library, but if the library is any good, you CAN'T restore the password. Usually passwords are hashed and stored. To check if the user has the right password, the hash is done again with the passwords provided by the users. If the hashes match, the password was correct. But you can't get the password back from the database.

[eluser]gyo[/eluser]
PasswordHash (PHPass) is a one-way hashing class, thus it's not possible to get the original value.

[eluser]ravi_kachh[/eluser]
Yes,

This is the main requirement. I need password in the original form so that I can show it to admin while editing users record.

Thanks

[eluser]gyo[/eluser]
You'll need to change Tank-Auth by yourself, replacing PHPass with (for example) CI's native Encryption library.
But... this is a first big step to an unsecure system.

[eluser]WanWizard[/eluser]
It is (usually) not done to show someone's password to anyone, and that includes the admin or a database administrator.
That would allow them to impersonate other users. On our website, or worse, if the user uses the same username and password elsewhere, on other sites as well.

That's way for passwords one-way hashes are used.

[eluser]KingSkippus[/eluser]
[quote author="ravi_kachh" date="1279723182"]Yes,

This is the main requirement. I need password in the original form so that I can show it to admin while editing users record.

Thanks[/quote]

I'll add to the chorus of others here in reiterating that this is an extremely terribly bad idea. Please, please, please do not do this, it will cause you much pain and anguish. I knew a guy once who was a really nice guy all of his life, but when he died, they actually denied him entry into heaven because he did this once when he was a beginner coder.

Standard practice is that if an administrator has to have access to a user's account, they reset the password. This keeps them honest and, as mentioned above, from directly impersonating a user. Yes, the user will realize that something is amiss the next time they log in and their password doesn't work. That's the point. Also, users cannot just click a "show me my password" button. If they forget it, they have to reset it, or else the site will create a random one for them that they can change at next login.

Frankly, if you have a web site that stores or otherwise conveys passwords in clear text, I'd appreciate you letting me know what it is so that I will diligently avoid it. I don't care if you have the next Google, if you use a security practice that is this hideously bad, I want no part of it.

So with all of that being said, I'm genuinely curious. Why exactly do you have to show the user's password to an administrator while editing the user's record? Whatever it is, I'm sure we can figure out some way around it to accomplish your goals and, most importantly, maintain security.

[eluser]gyo[/eluser]
I totally agree, you should never put security behind.
This is why people say "PHP sucks, it's not secure etc...", just because the security subject is not well spread.