Best way to implement a forgot password feature

I want to make it an easy process for the user, but at the same there should be a satisfactory level of security.

Currently the user passwords are stored in the database as an MD5 value. I don’t know if it’s a good idea to store the password in its plain text form.

I don’t particularly want to “reset” the password if the user forgets it, I want to be able to email the user with their actual password.

Now I don’t think MD5 can be decrypted so how should I go about this?

My implementation sends the user an auto generated password to their email which they can change after they login. I don’t know if this is the best solution but it certainly works.

That’s one way of doing it but as I said I don’t want to reset the password. So any more suggestions?

Hello gstar,

Once I implement this feature using MySql Encryption and Compression Functions like AES_ENCRYPT and AES_DECRYPT.

User Registration query should look like this:

INSERT INTO Users (email,password) VALUES ($email,AES_ENCRYPT('$password.','$secret_key'))

And the recovery query:

SELECT email,AES_DECRYPT(password,'$secret_key') FROM Users WHERE email = '$email'

Tip: You should set the password type as BLOB - binary in the Users table.


Revealing the original password is a security risk. I certainly don’t know how you can avoid resetting a password. I see these options:


[*]Autogenerate a new one and send a link to the registered email informing to change it to another one. Never showing the password.

[*]Ask the user a secret question and send him the password (I don’t like this one)


You can send them a mail, that contains a generated hash, that can be used to replace the password with a new one. This authentication hash can be part of a url, so the user actually only has to visit a website and to enter his new password.

Something like:

It’s actually the same as setting a temporary new password, but in my opinion easier for the user, since he doesn’t have to copy/paste the temp PW for the one shot login and he doesn’t have to navigate around to his profile after login 'till he finds the place to change his PW. The mail to validate the reset request is a must-have in either case.

Storing the passwords in a way that can be decrypted again to get the plain PW text should be avoided (again, personal opinion). Instead, you should save the passwords in form of a hash (MD5, SHA1 or the like) and protect it using PW salt. Otherwise, the hashes could be cracked using dictionary attacks or reverse lookup once the attacker got access to the hashes.