how to decrypt md5 hash

md5 is one way. You cannot reverse md5 encrypted strings. Typically, what developers will do when providing a forgot password link is to reset the user's password to something random, give that to them in an email, and then force them to reset their password on next login. Another solution would be to provide them with a random key and a "forgot password link" that can be used to allow them to reset their password. Just in case you are considering it, I want to mention that it's not a good idea to store passwords in the database in plain text. The fact that you can't retrieve the user's password means that a hacker can't either.

The whole point of having a hash of a password is that it's impossible to recover the original password from the hash. That way, if someone hacks the password database and steals all the hashes, they can't recover all the user's passwords. In fact, it's mathematically impossible to do so. A hash function maps all of the infinitely many possible strings to a set of strings of fixed length, so there are (ideally!) infinitely many strings that hash to any particular hash value. If you want to make a "forgot your password?" option, it's probably best to just reset the user's password to something random and then send an email containing the new junk password.

While the other posters are right, i think a specific answer is being sought so here goes. forgot password function can be implemented by using two columns related to the user id. one column is a random string, which can be of arbitrary length, and other the date time. When the user indicates that they have forgotten their password, you generate the random string and update this record with the string and the current date time. you then send an email to their registered email id with a url that has the random string. When that url is opened, you will check if the random string exists in your tables and if it has not been expired. you will check the current date time and the date time on which the string was generated, and you will have your own policy for determining what is the longest you will wait. typically 3 days is enough. if the link is expired, the forgot password will have to be started again. if the link is not expired, you will note the user id for which the string was generated and you will ask the user to enter their username and new password two times. the username has to match the userid for which the string was generated, and the two passwords be the same. you will then update the users password with the md5 hash of the new password. the reason you dont want to generate a new password is because if the user recalls the password, they can still log in, even while their forgot password is in process.

If users forget their passwords, you should not be sending them their passwords. Instead they should need to reset their passwords after verifying (perhaps by recieving an email, or some other means) that they are indeed the correct user.