Reputation: 30103
How to recover a password forgotten by the user if the password is saltedhash?
I just learned to use salt and hash to secure the passwords in my database. Now, I need to create a module that will allow the user to recover the password if they forgot it. How can I do that if the password is irreversible?
Upvotes: 2
Views: 2724
Answers (3)
Reputation: 1476
Hashing the password is a security measure that protects you the password holder. If you had stored plain text and Mr uses's bank account was accesses by a third party, since you only know the hash of his password you probably weren't the one to access his bank.
That being said, md5 even with salt isn't terribly unbreakable so it can be reversed http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/
Upvotes: 3
Reputation: 197
only changing the password using other supplied credentials. you can store passwords in plain text in database, but encrypt them when validate. Web solution woud be -> 1. Get passord from user 2. Get, for example md5 hash from it 3. Send md5 to server to validate. I do not advise storing plain text passwords :)
Upvotes: 0
Reputation: 69983
You don't need to try to recover their old password, you just make a new one for them or have them do it.
You can generate a temporary password for them, salt and hash that password for them and email them the new password, or you send them an email link to reset their password.
Upvotes: 3
Related Questions
- Get new, hashed password after password reset in WordPress
- Forgot password page, but passwords are hashed
- Hashing in Java -> Get password from hash & salt
- Unhash the password through forgot password feature
- Hashed password recovery
- Store and validate hashed password with salt
- Password hashing and salting
- Recover a salted and hashed password in python
- Implementing Forgot password functionality
- how to hash the password and get it back