I store user passwords in the database in hashed form. I use for this System.Web.Helpers.Crypto . Here is an example of the encryption code:

 string password = ""; string hash = Crypto.HashPassword(password); bool succes = Crypto.VerifyHashedPassword(hash, password);

That is, I am hashing passwords, writing to the database. And when I authorize a user, I can check if he entered the correct password. But what if the user forgot his password? How can a hashcode lead back to normal and generate a password?

  • five
    No, keep passwords nearby :) In fact, you need to generate a new password and send it to the forgetful. - NewView

1 answer 1

According to the hash password can not be recovered, that is the whole point of security. You do not store a password that can be stolen, but only a hash, which allows you to verify the correctness of the entered password.

In the case when the user forgot the password, you need to have a link Forgot your password? (Reset Password, reset password). Then the user should be able to enter a new password.

In web applications, this is usually done by sending an email to the user's box with a link to a page where you can enter a new password.

  • demonplus but how do the services work where when you forgot your password they send you your password to the mail? They get stored and password in the database? - Andrei
  • @ Andrew normal services send a new password, not the old one - PashaPash
  • one
    @ Andrei should not use the services that send the old password - demonplus
  • one
    The service must generate a temporary password, and then the user enters a new password. Storing a password, not a hash, contradicts all security requirements - demonplus