forgot your password? we will tell you what it

Posted on 2006-04-05
Last Modified: 2010-04-11
Whenever I make a user registration site or something else that requires a password, I encrypt it so that in the database, it is unreadable.

If someone forgets, the encryption is one way so it cannot be decrypted.  In order to get them back in, i would need to reset the password to something I know, and then have them change their password later.

Does this mean that every website that is able to tell you what your password was when you forgot uses 2 way encryption (encrypt + decrypt, aka administrator could decrypt your password if he wanted to see what it was) or stores your password in plain text?  Is there anyway scheme setup so that only users are able to decrypt their own password, kinda like a public/private key?
Question by:edkim80
    LVL 4

    Accepted Solution

    You hit the nail on the head.... If they can send you your password, then they can decrypt it whenever they want.
    Sure you could setup some pub/priv key excahnge stuff, but it is much simpler to just reset the password, and require users to change at next logon.
    LVL 4

    Assisted Solution

    This all depends on the website, and how they want to store your password. They can encrypt it with their key and encryption schemea then store it (allowing for decryption by admin). There are one way hashes such as SHA,MD5, and MD4 these use a mostly irreversable algorithm to encrypt the key, when a users types their password the system hases it then checks it against it's database. These ites usually use some sort of e-mail password reset system. And then some really low-level sites just store them in plain text (very bad).

    I personally prefer the hash system, this means if your database is compromised it shouldn't reveal the passwords to the attacker. Of course this is assuming the don't just try to bruteforce the hashes, which is possible.
    LVL 24

    Assisted Solution



    > Title: forgot your password? we will tell you what it


    > Does this mean that every website that is able to tell you what your password was when you forgot

    unfotunately, I dunno what you are talking about, what unknown sites may or may not do

    You can make you own site, wirte a few programs, and advertise that you will help people to only need one password. All they have to do is register with you all their other passwords. Now if they forget, you can read it back to them from even plain text local store.

    Try finding my password on my other system - no way.
    LVL 8

    Author Comment

    Thanks for the answers...

    SunBow.. i don't understand,
    why point me to the Perl section, then say yes?
    LVL 24

    Expert Comment

    er, thanks, and good luck                                             (that was quick)

    <oops> I see a mistake on my first paste, so to claify my first response it should have been a

    >  Is there anyway scheme setup so that only users are able to decrypt their own password,

    LVL 24

    Expert Comment

    ah, simultaneous postsing
    edkim80  > why point me to the Perl section,

    the mistake. (or subconscious mindreading - some use perl to store passwords, and not even encrypt them. But the link was for posting to another question, stuck in the clipboard)

    > then say yes?
    that I restated in the last comment (there's more than one scheme that can be set up, and all too many seem to be clueless about that)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now