forgot your password? we will tell you what it is....how?

Whenever I make a user registration site or something else that requires a password, I encrypt it so that in the database, it is unreadable.

If someone forgets, the encryption is one way so it cannot be decrypted.  In order to get them back in, i would need to reset the password to something I know, and then have them change their password later.

Does this mean that every website that is able to tell you what your password was when you forgot uses 2 way encryption (encrypt + decrypt, aka administrator could decrypt your password if he wanted to see what it was) or stores your password in plain text?  Is there anyway scheme setup so that only users are able to decrypt their own password, kinda like a public/private key?
LVL 8
edkim80Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

uberpoopCommented:
You hit the nail on the head.... If they can send you your password, then they can decrypt it whenever they want.
Sure you could setup some pub/priv key excahnge stuff, but it is much simpler to just reset the password, and require users to change at next logon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kamichieCommented:
This all depends on the website, and how they want to store your password. They can encrypt it with their key and encryption schemea then store it (allowing for decryption by admin). There are one way hashes such as SHA,MD5, and MD4 these use a mostly irreversable algorithm to encrypt the key, when a users types their password the system hases it then checks it against it's database. These ites usually use some sort of e-mail password reset system. And then some really low-level sites just store them in plain text (very bad).

I personally prefer the hash system, this means if your database is compromised it shouldn't reveal the passwords to the attacker. Of course this is assuming the don't just try to bruteforce the hashes, which is possible.
0
SunBowCommented:
> http://www.experts-exchange.com/Programming/Programming_Languages/Perl/

Yes

> Title: forgot your password? we will tell you what it is....how?

cheat?

> Does this mean that every website that is able to tell you what your password was when you forgot

unfotunately, I dunno what you are talking about, what unknown sites may or may not do

You can make you own site, wirte a few programs, and advertise that you will help people to only need one password. All they have to do is register with you all their other passwords. Now if they forget, you can read it back to them from even plain text local store.

Try finding my password on my other system - no way.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

edkim80Author Commented:
Thanks for the answers...

SunBow.. i don't understand,
why point me to the Perl section, then say yes?
0
SunBowCommented:
er, thanks, and good luck                                             (that was quick)

<oops> I see a mistake on my first paste, so to claify my first response it should have been a

>  Is there anyway scheme setup so that only users are able to decrypt their own password,

yes
0
SunBowCommented:
ah, simultaneous postsing
edkim80  > why point me to the Perl section,

the mistake. (or subconscious mindreading - some use perl to store passwords, and not even encrypt them. But the link was for posting to another question, stuck in the clipboard)

> then say yes?
that I restated in the last comment (there's more than one scheme that can be set up, and all too many seem to be clueless about that)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.