How can I allow a change of password with md5 in mind. When the accounts are being created the passwords are being entered in md5. So now when i display the password field of course they are in md5 (don't worry for testing purposes i am showing the password in the field instead of displaying hashes 开发者_Go百科or dashes).

So how do i go about changing the passwords then? When they are changed they also need to be in md5.

Don't display anything in the password field. Have 3 fields. One for the original password (for security), and 2 for the new password (one for verification).

When submitted, check the old password, if it's right, md5 the new one and save it.

In the database you overwrite the old MD5 hash with the new MD5 hash. Or are you asking a user interface question?

The MD5 hash is a one-way hash that cannot be decrypted, so there's no need to display it. Changing the passwords updates the database with a new MD5 hash.

So how do i go about changing the passwords then?

I think you should read You're Probably Storing Passwords Incorrectly (Article from author stackoverflow.com):

We learned that in a password hashing scheme, speed is the enemy. We learned that MD5 was designed for speed. So, we learned that MD5 is the enemy.

If you must store your passwords(Please also read below for more tips) use phpass to store your passwords securely. I advice you to read the article on the site explaining How to manage a PHP application's users and passwords. It will teach you how to do it securely using email verification tokens.

Just for the fun of it I also created a library(please also read below) which does this for you using the excellent phpass. It is hosted at github and you can take a look at it if you like. Especially you should have a look at Authentication Class together with AuthenticationTest.

OpenID

Furthermore I would like to point out you should use something like OpenID, Facebook Connect, Google Friend Connect instead. You should not be storing your passwords because it is risky business like The Dirty Truth About Web Passwords explains.

Jeff Atwood:

I'm not here to criticize Gawker. On the contrary, I'd like to thank them for illustrating in broad, bold relief the dirty truth about website passwords: we're all better off without them. If you'd like to see a future web free of Gawker style password compromises -- stop trusting every random internet site with a unique username and password! Demand that they allow you to use your internet driver's license -- that is, your existing Twitter, Facebook, Google, or OpenID credentials -- to log into their website.

I also have a nice OpenID library available at github which uses LightOpenID with openid-selector. You can see a demo up and running at my shared hosting provider: http://westerveld.name/php-openid/