I have a sign up system and login.. when signing up, the password the person chooses gets md5-ed.. everything works great.. but im wondering, for when i create a 'lost password' form, how do i echo the md5 hash into what the pass really is?

You don't. The general idea is to not let anyone can get hold of the real password. You should generate a new (random) password for the user.

You generate a new password for them and require them to change it.


quick reply isn't as quick i guess...

Thats what i figured.. so im assuming that any site that actually does give me my actual password back, doesnt use md5 and is therefore insecure?

They could be using encryption/decryption (md5 is a hash, not encryption.)