Ok. thats clear that one must store hashed password in the database but in case a user does not remembers the password and want to retrieve it back, then obviously the user wont like to have the hashed password. If the password is hashed with md5 or additional like salt and sha1 then how to retrieve back the password.
There is but one simple answer: You cannot.
Well, theoretically you could, but it could take many years per password if they are long enough. After all, that is the point of hashing passwords in the first place: to make the data effectively useless to an attacker (or at least protect the user's plaintext password, which is sensitive data.)
Just have the site send a "change your password" email containing a link to a page where that user can change his/her password. This is how most professional sites handle this dilemma.
This is meant to be intractable. Thus, you usually have to provide some way of resetting it. Sending a special link to the user's email is common, though it reduces your security to that of the email account.
See Forgot Password: what is the best method of implementing a forgot password function? .
The security of hashing instead of encrypting the password is that you cannot reverse a hash. If you could unhash the password and give the user their plain text password, then any hacker can reverse the hashed password you use for registration and sign in and "dehash" it to get the user's password.
This is a feature, not a bug.
hashing itself stands for "cannot be retrieved back".
If a user cannot remember their password, they don't need this one for sure.
Just create another random one and send them.
Not a big deal.
yes..one may forgot his/her password..the good practice while using hashed password would be to make the user type the email address of the account whose password he/she want to reset then the system will reset the users password with another generated password. The MD5 like hashed password is almost impossible to retrieve the original password from the hashed one
Always beware sites that can e-mail you the password you use. That means your password is easily seen by anyone who has access to the password database, which is especially dangerous if you reuse passwords.
For password resetting, I recommend using 'safe questions' with answers that are also encrypted.
It behooves all those who operate websites to keep their customers reasonably safe from hackers.
来源:https://stackoverflow.com/questions/3615408/php-dehashing-the-password