We help IT Professionals succeed at work.

forgot your password? we will tell you what it is....how?

edkim80
edkim80 asked
on
Medium Priority
248 Views
Last Modified: 2010-04-11
Whenever I make a user registration site or something else that requires a password, I encrypt it so that in the database, it is unreadable.

If someone forgets, the encryption is one way so it cannot be decrypted.  In order to get them back in, i would need to reset the password to something I know, and then have them change their password later.

Does this mean that every website that is able to tell you what your password was when you forgot uses 2 way encryption (encrypt + decrypt, aka administrator could decrypt your password if he wanted to see what it was) or stores your password in plain text?  Is there anyway scheme setup so that only users are able to decrypt their own password, kinda like a public/private key?
Comment
Watch Question

Commented:
You hit the nail on the head.... If they can send you your password, then they can decrypt it whenever they want.
Sure you could setup some pub/priv key excahnge stuff, but it is much simpler to just reset the password, and require users to change at next logon.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
This all depends on the website, and how they want to store your password. They can encrypt it with their key and encryption schemea then store it (allowing for decryption by admin). There are one way hashes such as SHA,MD5, and MD4 these use a mostly irreversable algorithm to encrypt the key, when a users types their password the system hases it then checks it against it's database. These ites usually use some sort of e-mail password reset system. And then some really low-level sites just store them in plain text (very bad).

I personally prefer the hash system, this means if your database is compromised it shouldn't reveal the passwords to the attacker. Of course this is assuming the don't just try to bruteforce the hashes, which is possible.
Commented:
> http://www.experts-exchange.com/Programming/Programming_Languages/Perl/

Yes

> Title: forgot your password? we will tell you what it is....how?

cheat?

> Does this mean that every website that is able to tell you what your password was when you forgot

unfotunately, I dunno what you are talking about, what unknown sites may or may not do

You can make you own site, wirte a few programs, and advertise that you will help people to only need one password. All they have to do is register with you all their other passwords. Now if they forget, you can read it back to them from even plain text local store.

Try finding my password on my other system - no way.

Author

Commented:
Thanks for the answers...

SunBow.. i don't understand,
why point me to the Perl section, then say yes?

Commented:
er, thanks, and good luck                                             (that was quick)

<oops> I see a mistake on my first paste, so to claify my first response it should have been a

>  Is there anyway scheme setup so that only users are able to decrypt their own password,

yes

Commented:
ah, simultaneous postsing
edkim80  > why point me to the Perl section,

the mistake. (or subconscious mindreading - some use perl to store passwords, and not even encrypt them. But the link was for posting to another question, stuck in the clipboard)

> then say yes?
that I restated in the last comment (there's more than one scheme that can be set up, and all too many seem to be clueless about that)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.