how to recover crypted password in php

Question

when a new user registers to my site it uses the crypt() method and then stores it in DB.

I want to make a "i forgot my password" page where a user can get his password by mail.

My question is simply: how do i convert for example ,this: "$2a$13$Ku2hb./9aA71dPo/E015m.WBs6.RsDC/BL8jbz8dMRrmm0jGNIJRO" to "Some user password"?

Answer 1

The crypt() function uses one-way encryption, which means that there is no decrypt() function.

Basically you have two options:

1.Implement your own encrypt method which you can decrypt later -not recommended-

2.Implement a 'reset password' instead

Answer 2

Do what every other website does these days - do NOT offer a way to retrieve a password. Instead, offer a way to reset the password.

When the user clicks "I forgot my password", send them a link that they can use to reset it. Set an expiration date on how long the link lives for. If you want to be extra cautious, afterwards send an email confirming that a password was just reset and a link in case the user didn't actually do so themselves.

Answer 3

You can't, because crypt() isn't an encryption function, it's a one-way hash function.

Note: There is no decrypt function, since crypt() uses a one-way algorithm.

You shouldn't do what you're describing anyway. If an attacker has access to someone's email and every website sent the "lost password" in plaintext to the user upon request, that attacker could gain even more passwords.

You should let the user enter a new password upon proving their identity (maybe by answering a question) and possession of that email.