PHP Forgot Password Function

I have a small community website and I need to implement some sort of forgotten password function. I currently store the passwords in the DB, encrypted with MD5.

Is it possible to sort of ‘decrypt’ and send it to user via email or would I need to have a password reset page?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

An MD5 hashed password is not reversible. (MD5 is hashing, and not really encrypting, so there’s a subtle difference). And yes you’ll definitely want to provide a password “reset” process (and not simply email the password).

To give you a high level workflow for secure password resets…

  1. When user asks to reset their password, make them enter their email address
  2. Don’t indicate if that email address was valid or not (just tell them that an email was dispatched). This is open for debate as it lowers usability (i.e. I have no idea which email I registered with) but it offers less information to people trying to gather information on which emails are actually registered on your site.
  3. Generate a token (maybe hash a timestamp with a salt) and store it into the database in the user’s record.
  4. Send an email to the user along with a link to your https reset page (token and email address in the url).
  5. Use the token and email address to validate the user.
  6. Let them choose a new password, replacing the old one.
  7. Additionally, it’s a good idea to expire those tokens after a certain time frame, usually 24 hours.
  8. Optionally, record how many “forgot” attempts have happened, and perhaps implement more complex functionality if people are requesting a ton of emails.
  9. Optionally, record (in a separate table) the IP address of the individual requesting the reset. Increment a count from that IP. If it ever reaches more than, say, 10… Ignore their future requests.

To give you a little more detail into hashing…

When you hash a value like a password using the md5() function in PHP, the final value is going to be the same for that password no matter which server you run it on. (So there’s one difference we can see right away between hashing and encryption… There’s no private/public key involved).

So this is where you’ll see people mention a vulnerability to rainbow tables. A very basic explanation of a rainbow table is… You md5() hash a bunch of dictionary words (weak passwords) in order to get their md5() hashed values. Put those in a database table (rainbow table).

Now, if you compromise a web site’s database, you can run the users’ hashed passwords against your rainbow table to (in essence) “reverse” the hash back to a password. (You’re not really “reversing” the hash… But you get the idea).

That’s where “salting” your passwords is best practice. This means (again, very basic idea here) that you append a random value to the users’ passwords before you hash it. Now, when the rainbow table is run against your database, it’s not as easily “reversed” because the md5() hash of “password” is different than “password384746”.

Here’s a nice SO Q/A that should help. Secure hash and salt for PHP passwords

Solution 2

According to this post The definitive guide to forms based website authentication, for step 3. and 4., I’m not sure you should send the same token you are storing.

I guess you must send the token, then hash it and stored the hashed token in DB. Otherwise, if your database is compromised, one can have access to the reset password page.

To summarize :

$token = md5(microtime (TRUE)*100000);
$tokenToSendInMail = $token;
$tokenToStoreInDB = hash($token);

where hash is a hashing algorithm.

Solution 3

No, MD5 is irreversible. The point of hashing passwords is to make it so an attacker who gets access to your database can’t access everyone’s passwords.

That said, MD5 (particularly unsalted MD5) can generally be attacked using a rainbow table. For security, you’re better off using bcrypt.

Solution 4

You cannot decrypt the password, and you shouldn’t even consider sending a password to a user via plaintext. (That is the #1 way to make me never ever use a site again; it’s a GIGANTIC security hole.) Provide a password reset page that is triggered from a link containing a time-associated key that is sent to the user’s password recovery email; that’s the current state of the art in password recovery.

Solution 5

The best thing for you to do is request people submit their email address when registering. Then if they forget, have a forgot password link which resets their password with a random value which is emailed to them so they can gain access and then change their password back to something more memorable. This way you don’t need to compromise the security.
You could have a link which they just need to submit their username into, butfor better security you should have a question and answer or memorable word.

Solution 6

As Marcus Reed stated, in 2015/2016 if you have PHP version >=5.5 don’t use MD5, password_hash() and password_verify() provide an easy and secure hashing for your password with the ability to provide a cost and automatically salts the hash.

I don’t have the ability to vote or comment currently which is why I’m providing a definitive statement to avoid confusion.

Solution 7

MD5 is intended to be a one-way hash. You will need to have them reset their password.

Solution 8

Write a page that accepts the md5 and email address as a get paramaeter and looks in the db for the email and md5’d password. Following Jared Cobb notes, that should get you on the right path. i just added some examples as well

eg url to send

 $code = isset($_GET['code']) ? $_GET['code'] : '';
    $email = isset($_GET['email']) ? $_GET['email'] : '';
$checkPw = '';

    if(empty($code) || empty($email))
    $sqlQuery = 'SELECT * FROM users WHERE email = "'.$email.'";
//remember to check for sql injections
    //then get the results as an array, i use a database class eg $user

     $checkPw = md5($user['password']);

    if($checkPw !== $code)
    //display form for user to change password

this should be sufficient enough for you to know that the user is a valid user and change his password

Solution 9

Use php’s built in password_verify and password_hash.

Solution 10

No you cannot decrypt it. that is the whole idea.

You would need to send them a temp password and for them to reset it.

Solution 11

You’ll need to do a password reset page. There’s no way in PHP to decrypt MD5.

Solution 12

MD5 is a one way function. You can’t decrypt it. SO you need to have a password reset page.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply