How to recover a password forgotten by the user if the password is saltedhash?
I just learned to use salt and hash to secure the passwords i开发者_Python百科n my database. Now, I need to create a module that will allow the user to recover the password if they forgot it. How can I do that if the password is irreversible?
You don't need to try to recover their old password, you just make a new one for them or have them do it.
You can generate a temporary password for them, salt and hash that password for them and email them the new password, or you send them an email link to reset their password.
Hashing the password is a security measure that protects you the password holder. If you had stored plain text and Mr uses's bank account was accesses by a third party, since you only know the hash of his password you probably weren't the one to access his bank.
That being said, md5 even with salt isn't terribly unbreakable so it can be reversed http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/
only changing the password using other supplied credentials. you can store passwords in plain text in database, but encrypt them when validate. Web solution woud be -> 1. Get passord from user 2. Get, for example md5 hash from it 3. Send md5 to server to validate. I do not advise storing plain text passwords :)
精彩评论