Decode hash sha256 encryption, knowing the salt

Question

I'm making a login system for a web application. To store passwords in the DB, I'm encrypting passwords using sha256 as follows:

$salt ="sometext";
$escapedPW="userpass";
$saltedPW =  $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);
echo "<center>".$hashedPW."</center>";

In the database I am storing the user, the user's password and the salt used to make hash and validate the user's login. Right now I'm doing the functionality to send to the user an email with your password, but when the user receives the email, since is stored in sha256 encrypted password, the user receives a long string and not the password that the user is supposed to know.

My question is there any way that I can send you the actual user password and non the password encryption, ie, there is some way to do the reverse of sha256 if I know the salt?. If not possible, what method of encryption is recommended for you to complete the reverse of the encryption key and send the actual password to the user in an email.

Answer 1

As mentioned in the comments of your question, reversing the hash is not really an option.

What you can do however, and this is what everybody else does as well. In your registration code (ex. register.php) which your form post to you can make the PHP script send the password in an email and then encrypt it and store it in the database.

I suppose you have a registration form of some kind, and that form supposedly posts the new users details to another (or the same) php script, doesn't it?

For example if my form said something like <form method="post" action="register.php">

And in register.php I would then have something like

<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']); /*cleartext*/
$email    = mysql_real_escape_string($_POST['email']);

mail($email,"New account","Your username \"$username\" and your password is \"$password\"");

$salt ="sometext";
$escapedPW="userpass";
$saltedPW =  $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);

mysql_query("INSERT INTO users (username, password, email) VALUES ($username, $hashedPW, $email)")

Some rough example code. I hope it helps!

Answer 2

You should NEVER send plaintext passwords via email. Rather, send a time-limited, single-use "reset password" link, as suggested in the comments.

You should not use a simple hash as suggested by @Henrik. Use a standard adjustable-work password KDF (PBKDF2,bcrypt,scrypt)

If you can use PHP 5.5, use the standard password hashing functions. There are hosts which do support PHP 5.5, but you have to look for them and ask for it.

There are many places on the web that explain how to do it correctly (e.g. https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Authentication) and many that explain how to do it incorrectly. PLEASE take some time to research this before you decide to roll your own authentication system.