Hi!!!
I need to crypt passwords from users using php. I've red about crypt or md5 methods, but they do not allow to decrypt passwords and I need to do it to send my users their password via email if they forget it.
Could you advise me what method is best to use?

THANKS A LOT!!!:)

Don't use something that allows passwords to be retrieved. Go with a one way hash like MD5 and provide a way for them to reset their password then force them to change it once they've gotten a new random password.

Yes, it's better, thanks. :thumbsup:

Is there a way to encrypt records before inserting them into the database, but decrypting them when it is time to display them? Like if I want to store sensitive information in the database encrypted, but would need to see the information in plain text on the page.

This isn't for a user name & password storing so I don't think MD5 would work. I have heard people say it can be decrypted & some say it can't be.

MD5 Encryption cannot be decrypted... it is a one way hash function.

Take a look at mycrypt (http://uk.php.net/mcrypt) for encryption/decryption with PHP

While its true that MD5 cannot be decrypted - it can be cracked. In the same way that you would check to see if a password matched, you hash a word and compare it with the hash value for the password or whatever, if they match then you can use that word as a password for that acccount and get in - it does not need to be the same word as the value stored in the MD5 hash - just have the same hash. (it is possible for different values to have the same hash, there is a finite number of md5 hashes but an infinate number of possible pre-hashed values)

There are also sites that say they have a 'decoder ' of md5. You can enter an md5-code there, and they check in there database if they have a word that has the corresponding hash. If they do, you get the word, and then you sort of hacked the md5

You don;t ever need to show the md5 hash to anyone, keep the md5 hash comparisons hidden inside your server code...people can;t get the hash if they never see it....

for example...when a user first selects a password, hash it and store it in a database....then when the user enters their password later in a form, hash the POST value and compare it to the hashed password (associated with that username) in the database...

You don;t ever need to show the md5 hash to anyone, keep the md5 hash comparisons hidden inside your server code...people can;t get the hash if they never see it....

for example...when a user first selects a password, hash it and store it in a database....then when the user enters their password later in a form, hash the POST value and compare it to the hashed password (associated with that username) in the database...
On that grounds you wouldnt need to encrypt the password at all, since the plain text password stored in the database isnt shown to anyone either ;) The reason we encrypt data is that in the event of a security breach via any method and someone with malicious intent gets access to the stored data, they wont be able to use it to access login accounts.

Please don't go into the "Is MD5 secure" discussion, it's not the topic. Having a whole site in mind I'm sure that MD5 won't be the weakest link in your security.

The original poster has already had his question answered. Closing thread...