• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1814
  • Last Modified:

php forgot password, using sha1()


I have a user system running, it works fine login/registraton etc when the user registers it stores the password using the sha1() function so returns a 40 digits.

I would like to know how i would unhash it? to create a forgot password page, cause at the moment it send and email but with the password as the 40 digit string which wont work cause its the encrypted version.
  • 2
2 Solutions
Can't be done.

The only thing you can do when they request a password is to email them a link that will let them choose a new password.

According to this page, http://en.wikipedia.org/wiki/SHA-1 , it is computationally infeasible to... find a message that corresponds to a given message digest"
Yes.. etully is correct
you can generate a random password string using a function like

function createRandomString($length = 7) {    
      $chars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789";    
      $i = 0;    $pass = '' ;    
      while ($i <= $length) {        
            $num = rand() % 33;        
            $tmp = substr($chars, $num, 1);        
            $pass = $pass . $tmp;        $i++;    
      return $pass;
$newPass =  createRandomString();
$newEncPass = sha1($newPass);
Then update the $newEncPass to Password field and mail the $newPass to User

ant385802Author Commented:
Oh thaks, this was my second option just thought it might be possible.

Technically, there is a solution but it's less secure than what you have now.  (I mean, why bother using SHA-1 to encrypt the password if you're just going to send the password to people via totally unsecure *email* ?!?!)  But if you REALLY want to email people with their password, there is a way to do it.

It's only important to encrypt the passwords on machines that are facing the Internet.  If you wanted to have a second machine (let's call it Machine #2) that can't do anything except email passwords to people, then you could encrypt your passwords on your web server and leave them unencrypted on Machine #2 and it could send the password to the user.

I mean, the solution provided earlier generates a temp password and EMAILS that password to the user.  So you have to TRUST that no hacker can intercept and read the email with the temp password.  If you are willing to assume that no hacker is going to intercept the email with the temp password, then why not just email them the real password?

Or put another way - which is more important to you?  Making your system as secure as possible?  Or finding a balance between security and convenience?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now