[AiRaLoKa]

hi all...

i used MySQL R28 for my admin system. I use sha1() to hashing player's password. I want to make something like password recovery. but i don't know how to de-hash them. i don't want to hacking player's account(what is the benefit for me ). just a password recovery system.

[PrivatioBoni]

You can do this without "de-hashing".

Having passwords in plain text is pretty stupid.

[DanLore]

I'd suggest either allow players to enter a security question, or allow them to define an email address.

Security Question:
-----------------------
You could still hash this with SHA1 or MD5 into the database (their answer), and on a web page allow them to input text and also hash that, compare the two strings to see if the answer they provided matches their security question answer, and if so allow them to set a new password on your website.

Email Address:
-----------------------
If they have an email address, have a password reset link sent to their email address which, when clicked, allows them to set a new password.

[AiRaLoKa]

Quote:

Originally Posted by DanLore I'd suggest either allow players to enter a security question, or allow them to define an email address. Security Question: ----------------------- You could still hash this with SHA1 or MD5 into the database (their answer), and on a web page allow them to input text and also hash that, compare the two strings to see if the answer they provided matches their security question answer, and if so allow them to set a new password on your website. Email Address: ----------------------- If they have an email address, have a password reset link sent to their email address which, when clicked, allows them to set a new password.

damn-,- it's easy to say -,- i want to make it but don't know how to do it -,-

[NewerthRoleplay]

Since you're using MySQL you can just as easily implement it into a PHP script. There is a few tutorials on the net for using PHP with MySQL if you're not already familiar. You can just send an email to whoever registered the account with a URL e.g. http://example.com/email_verify/5f4d...8327deb882cf99 where the last part of the URL is a string stored alongside the users email to verify that they actually have access to the email account it was already registered with. Then ask them to put in a new password, hash it store it in the DB and done.. Obviously making sure to sanitize all the fields making it secure. (Probably all possible in PAWN using a smaller random string that someone would enter into a dialog for prove of identity)

You can't simply de-hash a password without using a lot of processing power, hence the whole point of a hash in the first place. If it's simple to revers the hash then doing it in the first place would be absolutely pointless.