Passwords should never be stored on your system in plain text or in a decryptable form. MD5 is a one way encryption and is an acceptable method of storing passwords. There is absolutely no need for your users passwords to be accessible by you or anyone who works for your organization. A password can always be reset by the user or by you or your employees. You must encrypt the password when it is received and then store the encrypted password in your database. This makes sure that the password is useless in the form in which it is accessed straight from the database.
Your form that takes the password should post to script which does something similar to the following. Ensuring the username is unique and that the password is protected.
$sql = "select * from usertable where username='" . $_POST['username'] . "'";
$result = mysql_query($sql);
if (mysql_num_rows($result) >= 1) {
$error = "please enter another username";
include "userform.php";
exit();
} else {
$username = $_POST['username'];
$userpass = md5($_POST['userpass']);
$sql = "insert into usertable values('$username','$userpass')";
mysql_query($sql);
include "postregister.html";
}
You now have a stored password which is useless to you and only usable to the user through your login form.
You can also use SHA1 to hash your passwords for storage in the database. It's the simplest, yet most effective way to store passwords:
$password = sha1($password);
It's also exceptionally safe. Though the integrity of it is beginning to creep, it's rather easy to upgrade this function to SHA-256 (which is incredibly secure).
