How do I convert password hashing from MD5 to SHA?

Question

I\'ve got an old application that has user passwords stored in the database with an MD5 hash. I\'d like to replace this with something in the SHA-2 family.

I\'ve tho

Answer 1

No - basically you'll have to keep the MD5 in place until all the users you care about have been converted. That's just the nature of hashing - you don't have enough information to perform the conversion again.

Another option in-keeping with the others would be to make the password field effectively self-describing, e.g.

MD5:(md5 hash)
SHA:(sha hash)

You could then easily detect which algorithm to use for comparison, and avoid having two fields. Again, you'd overwrite the MD5 with SHA as you went along.

You'd want to do an initial update to make all current passwords declare themselves as MD5.