php forgot password, using sha1()

Posted on 2007-08-07
Last Modified: 2013-12-12

I have a user system running, it works fine login/registraton etc when the user registers it stores the password using the sha1() function so returns a 40 digits.

I would like to know how i would unhash it? to create a forgot password page, cause at the moment it send and email but with the password as the 40 digit string which wont work cause its the encrypted version.
Question by:ant385802
    LVL 2

    Assisted Solution

    Can't be done.

    The only thing you can do when they request a password is to email them a link that will let them choose a new password.

    According to this page, , it is computationally infeasible to... find a message that corresponds to a given message digest"
    LVL 5

    Accepted Solution

    Yes.. etully is correct
    you can generate a random password string using a function like

    function createRandomString($length = 7) {    
          $chars = "ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz23456789";    
          $i = 0;    $pass = '' ;    
          while ($i <= $length) {        
                $num = rand() % 33;        
                $tmp = substr($chars, $num, 1);        
                $pass = $pass . $tmp;        $i++;    
          return $pass;
    $newPass =  createRandomString();
    $newEncPass = sha1($newPass);
    Then update the $newEncPass to Password field and mail the $newPass to User


    Author Comment

    Oh thaks, this was my second option just thought it might be possible.

    LVL 2

    Expert Comment

    Technically, there is a solution but it's less secure than what you have now.  (I mean, why bother using SHA-1 to encrypt the password if you're just going to send the password to people via totally unsecure *email* ?!?!)  But if you REALLY want to email people with their password, there is a way to do it.

    It's only important to encrypt the passwords on machines that are facing the Internet.  If you wanted to have a second machine (let's call it Machine #2) that can't do anything except email passwords to people, then you could encrypt your passwords on your web server and leave them unencrypted on Machine #2 and it could send the password to the user.

    I mean, the solution provided earlier generates a temp password and EMAILS that password to the user.  So you have to TRUST that no hacker can intercept and read the email with the temp password.  If you are willing to assume that no hacker is going to intercept the email with the temp password, then why not just email them the real password?

    Or put another way - which is more important to you?  Making your system as secure as possible?  Or finding a balance between security and convenience?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Introduction Many web sites contain image galleries; a common design for these galleries includes a page with a collection of thumbnail images.  You can click on each of the thumbnail images to see the larger version of the image.  This is easily i…
    Both Easy and Powerful How easy is PHP? (  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now