md5 passwords

[scottw]

hi i am creating a script on my website. i want the admins to be able to see a list of all the usernames and passwords but passwords are stored as MD5.

i have got a page displaying all usernames and the MD5 passwords but i want the passwords to be in plain text. how whoul i do this?

[Ryan Fait]

The point of MD5 is so that it can't be unencrypted. There isn't an automated way to do that.

[grahame]

Whether or not you encrypt passwords (with MD5 or something else), it is a very bad idea in most cases to have administrators able to see lists of passwords alongside user names. It makes it extremely hard to track down any security leaks (yeah, I know, you trust all you admins) and your users will be quite concerned too - remember that many of them probably use the same password for other purposes.

Why do you want your admins to be able to see the passwords anyway? If it's to help people who have forgotten their passwords, then you should email them back out - reset to a new random value if the're set with MD5. And if it's so that your admins can log in to help "as them", you would do better to have your admins log in under their true indentity as then swicth to the user they're helping. That way you can log and providea an audit trail.