forgot your password? we will tell you what it is....how?

Posted on 2006-04-05
Medium Priority
Last Modified: 2010-04-11
Whenever I make a user registration site or something else that requires a password, I encrypt it so that in the database, it is unreadable.

If someone forgets, the encryption is one way so it cannot be decrypted.  In order to get them back in, i would need to reset the password to something I know, and then have them change their password later.

Does this mean that every website that is able to tell you what your password was when you forgot uses 2 way encryption (encrypt + decrypt, aka administrator could decrypt your password if he wanted to see what it was) or stores your password in plain text?  Is there anyway scheme setup so that only users are able to decrypt their own password, kinda like a public/private key?
Question by:edkim80

Accepted Solution

uberpoop earned 800 total points
ID: 16385099
You hit the nail on the head.... If they can send you your password, then they can decrypt it whenever they want.
Sure you could setup some pub/priv key excahnge stuff, but it is much simpler to just reset the password, and require users to change at next logon.

Assisted Solution

kamichie earned 800 total points
ID: 16385441
This all depends on the website, and how they want to store your password. They can encrypt it with their key and encryption schemea then store it (allowing for decryption by admin). There are one way hashes such as SHA,MD5, and MD4 these use a mostly irreversable algorithm to encrypt the key, when a users types their password the system hases it then checks it against it's database. These ites usually use some sort of e-mail password reset system. And then some really low-level sites just store them in plain text (very bad).

I personally prefer the hash system, this means if your database is compromised it shouldn't reveal the passwords to the attacker. Of course this is assuming the don't just try to bruteforce the hashes, which is possible.
LVL 24

Assisted Solution

SunBow earned 400 total points
ID: 16385782
> http://www.experts-exchange.com/Programming/Programming_Languages/Perl/


> Title: forgot your password? we will tell you what it is....how?


> Does this mean that every website that is able to tell you what your password was when you forgot

unfotunately, I dunno what you are talking about, what unknown sites may or may not do

You can make you own site, wirte a few programs, and advertise that you will help people to only need one password. All they have to do is register with you all their other passwords. Now if they forget, you can read it back to them from even plain text local store.

Try finding my password on my other system - no way.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 16386118
Thanks for the answers...

SunBow.. i don't understand,
why point me to the Perl section, then say yes?
LVL 24

Expert Comment

ID: 16386134
er, thanks, and good luck                                             (that was quick)

<oops> I see a mistake on my first paste, so to claify my first response it should have been a

>  Is there anyway scheme setup so that only users are able to decrypt their own password,

LVL 24

Expert Comment

ID: 16386212
ah, simultaneous postsing
edkim80  > why point me to the Perl section,

the mistake. (or subconscious mindreading - some use perl to store passwords, and not even encrypt them. But the link was for posting to another question, stuck in the clipboard)

> then say yes?
that I restated in the last comment (there's more than one scheme that can be set up, and all too many seem to be clueless about that)

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question