Why Websites Require Password Reset Instead of Revealing Original Passwords

During a recent interview, a candidate was asked why many websites offer a "forgot password" feature that requires resetting the password instead of revealing the original one.

Preventing Information Leakage

Data breaches such as the 2022 Termly report on 98 major incidents show that many well‑known sites have been compromised.

Because stored passwords can be exposed, sites must protect user credentials. The standard practice is to store only hashed versions of passwords, never the plaintext.

Common hashing algorithms include SHA‑256, MD5, RSA, often combined with salts. Hashing is one‑way, so the original password cannot be recovered from the hash.

Example: the password 123456 hashed with MD5 yields E10ADC3949BA59ABBE56E057F20F883E . MD5 is deterministic, so the same input always produces the same output, making it vulnerable to rainbow‑table attacks.

To mitigate this, sites add a random or fixed salt before hashing. For instance, adding the string LGD_Sunday! to 123456 results in LGD_Sunday!123456 , whose MD5 hash is E1FC8CB7B54BED0FDC8711530236BA4D . The added salt makes pre‑computed attacks infeasible.

The Server Does Not Know the Original Password

Web applications store only the salted hash, which is generated on the client side and transmitted securely. The server cannot retrieve the original password, so it cannot disclose it to the user.

Consequently, when a user forgets the password, the only safe option is to reset it after verifying the user's identity.

Modern authentication methods such as password‑less login, QR‑code login, or one‑time verification codes further reduce reliance on static passwords.