MD5 is a cryptographic hash, not an encryption scheme. It cannot be reversed in any direct way. It can only be brute-forced by trying possible passwords until one which matches is found. This is not recommended.

MD5 是加密散列，而不是加密方案。它不能以任何直接的方式逆转。它只能通过尝试可能的密码直到找到匹配的密码来强制执行。不建议这样做。

You cannot reasonably recover the password. Your forgot password link should instead reset the password.

您无法合理地恢复密码。您的忘记密码链接应改为重置密码。

This is intentional and good design. MD5 is used to hash the passwords so that if the password database should be hacked, the hackers will only have access to the hashes of the passwords and not the original passwords, making it difficult for them to discover your users' passwords.

这是有意而为的好设计。MD5 用于对密码进行散列，因此如果密码数据库被黑客入侵，黑客将只能访问密码的散列而不是原始密码，因此他们很难发现您用户的密码。

However, at this point, MD5 crackers have gotten fast enough that it is not recommended for password use. In the future, scrypt or bcrypt should be used as the password hash function.

然而，在这一点上，MD5 破解程序已经足够快，不建议使用密码。以后应该使用 scrypt 或 bcrypt 作为密码哈希函数。

The whole point of having a hash of a password is that it's impossible to recover the original password from the hash. That way, if someone hacks the password database and steals all the hashes, they can't recover all the user's passwords. In fact, it's mathematically impossible to do so. A hash function maps all of the infinitely many possible strings to a set of strings of fixed length, so there are (ideally!) infinitely many strings that hash to any particular hash value.

拥有密码散列的全部意义在于不可能从散列中恢复原始密码。这样，如果有人破解密码数据库并窃取所有哈希值，他们将无法恢复所有用户的密码。事实上，这样做在数学上是不可能的。哈希函数将所有无限多个可能的字符串映射到一组固定长度的字符串，因此（理想情况下！）有无限多个字符串可以哈希到任何特定的哈希值。

If you want to make a "forgot your password?" option, it's probably best to just reset the user's password to something random and then send an email containing the new junk password.

如果您想制作“忘记密码？” 选项，可能最好只是将用户的密码重置为随机密码，然后发送一封包含新垃圾密码的电子邮件。

While the other posters are right, i think a specific answer is being sought so here goes.

虽然其他海报是对的，但我认为正在寻求一个具体的答案，所以这里是。

forgot password function can be implemented by using two columns related to the user id. one column is a random string, which can be of arbitrary length, and other the date time. When the user indicates that they have forgotten their password, you generate the random string and update this record with the string and the current date time. you then send an email to their registered email id with a url that has the random string. When that url is opened, you will check if the random string exists in your tables and if it has not been expired. you will check the current date time and the date time on which the string was generated, and you will have your own policy for determining what is the longest you will wait. typically 3 days is enough. if the link is expired, the forgot password will have to be started again. if the link is not expired, you will note the user id for which the string was generated and you will ask the user to enter their username and new password two times. the username has to match the userid for which the string was generated, and the two passwords be the same. you will then update the users password with the md5 hash of the new password.

忘记密码功能可以通过使用与用户ID相关的两列来实现。一列是随机字符串，可以是任意长度，另一列是日期时间。当用户指出他们忘记了密码时，您生成随机字符串并使用字符串和当前日期时间更新此记录。然后，您使用具有随机字符串的 url 向他们注册的电子邮件 ID 发送电子邮件。当该 url 打开时，您将检查随机字符串是否存在于您的表中以及它是否尚未过期。您将检查当前日期时间和生成字符串的日期时间，并且您将拥有自己的策略来确定您将等待的最长时间。一般3天就够了。如果链接已过期，则必须重新启动忘记密码。如果链接没有过期，您将记下生成字符串的用户 ID，并要求用户输入用户名和新密码两次。用户名必须与生成字符串的用户 ID 相匹配，并且两个密码必须相同。然后，您将使用新密码的 md5 哈希值更新用户密码。

the reason you dont want to generate a new password is because if the user recalls the password, they can still log in, even while their forgot password is in process.

您不想生成新密码的原因是，如果用户回忆起密码，即使在忘记密码的过程中，他们仍然可以登录。

md5 is one way. You cannot reverse md5 encrypted strings.

md5 是一种方式。您无法反转 md5 加密字符串。

Typically, what developers will do when providing a forgot password link is to reset the user's password to something random, give that to them in an email, and then force them to reset their password on next login.

通常，开发人员在提供忘记密码链接时会做的是将用户的密码重置为随机的东西，通过电子邮件将其提供给他们，然后强制他们在下次登录时重置密码。

Another solution would be to provide them with a random key and a "forgot password link" that can be used to allow them to reset their password.

另一种解决方案是为他们提供一个随机密钥和一个“忘记密码链接”，可用于允许他们重置密码。

Just in case you are considering it, I want to mention that it's not a good idea to store passwords in the database in plain text. The fact that you can't retrieve the user's password means that a hacker can't either.

以防万一，我想提一下，将密码以纯文本形式存储在数据库中并不是一个好主意。您无法检索用户密码的事实意味着黑客也不能。

If users forget their passwords, you should not be sending them their passwords. Instead they should need to reset their passwords after verifying (perhaps by recieving an email, or some other means) that they are indeed the correct user.

如果用户忘记了他们的密码，您不应该将他们的密码发送给他们。相反，他们应该需要在验证（可能通过收到电子邮件或其他方式）他们确实是正确的用户后重置他们的密码。