I'm using phpass in my current project and part of the project deals with password retrieval, so what i wanted to know: is it possible to unhash a password using phpass that's been hashed using phpass so it can be sent (via email) or changed?
Asked
Active
Viewed 5,339 times
0
-
2If it was possible, the whole process would be kinda pointless, wouldn't it? – Jan 11 '13 at 20:24
-
ah I see what you mean, if it could be so easily undone via a phpass built-in method then it wouldn't be secure. i've seen other login forms send you your forgotten password to your email. I'd hate to think the way they achieve that was by storing the password as-is in the database. – zero Jan 12 '13 at 00:16
-
2@zero: Sending a password by email is **evil** and should always be fundamentally impossible. – SLaks Jan 14 '13 at 19:01
-
@SLaks yeah i felt like it was a security issue. that means that the examples i've seen were storing the passwords in there raw-as-entered form in the database – zero Jan 14 '13 at 19:39
-
@zero: Yes. (they may have been encrypting it, which is also wrong) – SLaks Jan 14 '13 at 22:03
1 Answers
2
No.
If anyone behind a website can figure out a user's password via It's encryption/hashing method, then you should change the password, stop using the website and tell everyone else to do the same.
- I would have made this as a comment but not an answer but since I don't have enough rep to do so I'll do this; It's a pretty legit answer anyway.
Jonast92
- 4,964
- 1
- 18
- 32