The hash being undecipherable (?) is indeed the whole point..

If you're really desperate and also have much patience and lots of cpu power, you might be able to recover the password. Simply md5() a string and see if it matches the value in your db. If not, next string...

Thanks, I'll just use a work-around.

You'll just have to reset the password to something else and rehash it (after sending it).

the method eelix mentioned is the correct process

passwords should be reset and emailed, then flagged for changing, not decrypted

Thanks

what if we try to not encrypt the passwords and store them as-is in mysql ? if user request password using forgot link,send the email to email on file(besides password in mysql) so they recover it instead of resetting it.Will that be safe ?
If we have to go the other route of resetting password,how can we issue an email link that will validate correct email before letting them reset it ?

I got this working -- I just sent the email from a different file that had the unencrypted password variable in it.

any suggestions/advise from anybody about saving password without encryption and sending it in email ? any ideas on coding techniques on generating automatic email link to reset password ?

>> suggestions/advise from anybody about saving password without encryption

Generally, don't do it.

>> coding techniques

Send a URL with a unique ID to the email they registered to allow them to reset the password. Have this expire in s short amount of time. The whole premise here is that if they have access to the email account they registered with your site, then it's legit. If you want you can validate with other credentials, as well, such as a security question, or a validation of their phone number, etc...

thanks appreciate it.

unencrypted passwords are fine but it depends on what information you store about your users