I have a form where people register and their info (including username and password) is saved in the database. Some of my friends told me to save the hash of the password not the password itself to protect against any hack trial if the hacker got access to the database. Is that effective? If the hacker got access to the database, he cam simply generate the hash of a new password and save it in the database, right?
And, using the hash makes it not easy to recover the password! How can I give the users the ability to recover passwords?

You should look at using MD5 with SALT, you never let them recover there password, just issue them a new one via e-mail or some other form of secure delivery.

You use a hash on a password to protect the users from having there passwords stolen, not to protect your database from being hacked.

Thank you for your reply. Just I don't understand what is mean by protecting their password from being stolen? How is that going to happen if the database was not hacked?

Alright. If they database is compromised -- hacked -- (or you peek), plaintext (unhashed) passwords can be seen by everyone. Hashed passwords, however, are one way. It's literally impossible to take the hashed form of the password and change it back into the plain english form.

So, hashing won't stop anyone from breaking in -- it'll stop them from stealing user passwords, which is good for the users.

If they have access to the DB, they can change the passwords, but they won't get them, which makes users feel good. People use the same password on more than one site, so they don't like it when they get stolen.

I know in particular, AOL keeps the passwords in plaintext (or in reversable encryption). When you use their forgotten password function, they send you your password.

That function is actually supposed to generate a new random password and email it to the user.

It's literally impossible to take the hashed form of the password and change it back into the plain english form.

Never heard of rainbow tables?

Thats why you use salt.

That's a lookup. You're not converting it back, you're comparing them to see if it matches. Just like guessing a ton of passwords.

That said, he's right. There's no such thing as "impossible".