Unfortunately, I used md5 to has our users' passwords
How is that unfortunate? That's what you're supposed to do. User passwords should be obscured behind a 1-way hash and not recoverable by anybody. Not even by you as the system owner/administrator.
users who cannot remember their passwords, are not able to utilize our Recover password feature
There should be no such thing as a "recover password feature". It's called a "reset password feature". You can change a user's password administratively. But you should never ever be able to read it.
When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.
But attackers can use it. Which is why you shouldn't be sending it out to anybody in the first place.
is there a simpler encryption / decryption mechanism that someone could suggest that I try?
Is doesn't get much simpler than:
md5($password)
It's one function call. Five keystrokes. It's really simple to use. And since you're already using it, you're good.
Once you stop publishing your password hashes, you'll be all set on handling user passwords (at least as far as we know here). Keep up the great work! There are tons of services out there which don't properly obscure user passwords. Thank you for at least attempting it.
Note: As users have pointed out (users who are far more familiar with PHP these days than I am), while using md5()
directly is a step in the right direction, it's not the best you could be doing.
Instead, take a look at PHP's built in password handling functionality. (Or, if you're using an older, pre-5.5 version of PHP, there's a compatibility pack which maintains the same functionality.) Jay Blanchard has written a handy article on its use here.
The concept is the same, obscuring user passwords by means of a one-way hash. But the tooling has evolved considerably.