php forgot password, using sha1()

Posted on 2007-08-07
Medium Priority
Last Modified: 2013-12-12

I have a user system running, it works fine login/registraton etc when the user registers it stores the password using the sha1() function so returns a 40 digits.

I would like to know how i would unhash it? to create a forgot password page, cause at the moment it send and email but with the password as the 40 digit string which wont work cause its the encrypted version.
Question by:ant385802
  • 2

Assisted Solution

etully earned 100 total points
ID: 19651034
Can't be done.

The only thing you can do when they request a password is to email them a link that will let them choose a new password.

According to this page, http://en.wikipedia.org/wiki/SHA-1 , it is computationally infeasible to... find a message that corresponds to a given message digest"

Accepted Solution

cschand earned 400 total points
ID: 19652398
Yes.. etully is correct
you can generate a random password string using a function like

function createRandomString($length = 7) {    
      $chars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789";    
      $i = 0;    $pass = '' ;    
      while ($i <= $length) {        
            $num = rand() % 33;        
            $tmp = substr($chars, $num, 1);        
            $pass = $pass . $tmp;        $i++;    
      return $pass;
$newPass =  createRandomString();
$newEncPass = sha1($newPass);
Then update the $newEncPass to Password field and mail the $newPass to User


Author Comment

ID: 19653023
Oh thaks, this was my second option just thought it might be possible.


Expert Comment

ID: 19653143
Technically, there is a solution but it's less secure than what you have now.  (I mean, why bother using SHA-1 to encrypt the password if you're just going to send the password to people via totally unsecure *email* ?!?!)  But if you REALLY want to email people with their password, there is a way to do it.

It's only important to encrypt the passwords on machines that are facing the Internet.  If you wanted to have a second machine (let's call it Machine #2) that can't do anything except email passwords to people, then you could encrypt your passwords on your web server and leave them unencrypted on Machine #2 and it could send the password to the user.

I mean, the solution provided earlier generates a temp password and EMAILS that password to the user.  So you have to TRUST that no hacker can intercept and read the email with the temp password.  If you are willing to assume that no hacker is going to intercept the email with the temp password, then why not just email them the real password?

Or put another way - which is more important to you?  Making your system as secure as possible?  Or finding a balance between security and convenience?

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question