Gotta question for ya...

I'm developing a request password script (email the password to the user), and all the passwords are encrypted using the md5 hash/function.

I need to sort of "decrypt" the md5 string into what the password is so that they can actually retrieve their password. I've searched around on php.net and stuff, and can't figure out how to do this.

Any suggestions?

Its not possible. md5 is a one way hashing algorithm.

Its not possible. md5 is a one way hashing algorithm.Hrrrm, well - I suppose I will have to use a password reset system then... but I noticed that vbulletin has a password retrieval system, but the passwords are encrypted.

How does that work? Or are you permitted to say?

it just issues a new password once you confirm the link in your email.

Strings generated by the MD5 algorithm are not encrypted versions of the original string. They are hashes: unique (to one in an incredibly huge number) signatures of the original string. As the signature never contains any part of the original string, it is not possible to "decrypt" it because it does not apply.

I suggest doing what Scott does (and what vB does): include a unique ID in a URL e-mailed to the user, and when the user clicks the link, confirm the ID against one stored in the database and then allow the user to enter a new password.

I see, that makes sense.

I'll create a password resetting sytem via e-mail then, which will be easy since I have a user registration system that is similar (random unique ID validation via e-mail).

Thanks and stuff!