Update old stored md5 passwords in PHP to increase security

Question

At the moment I have a database with md5 passwords stored, a few years back this was considered a little more secure than it is now and it\'s got to the point where the pass

Answer 1

Implementation of your new, more secure, password storage should use bcrypt or PBKDF2, as that's really the best solution out there right now.

Don't nest things, as you don't get any real security out of this due to collisions as @Anony-Mousse describes.

What you may want to do it implement a "transition routine" where your app transitions users over from the old MD5-based system to the new more secure system as they log in. When a login request comes in, see if the user is in the new, more secure, system. If so, bcrypt/PBKDF2 the password, compare, and you're good to go. If they are not (no one will be at first), check them using the older MD5-based system. If it matches (password is correct), perform the bcrypt/PBKDF2 transformation of the password (since you now have it), store it in the new system, and delete the old MD5 record. Next time they log in, they have an entry in the new system so you're good to go. Once all of the users have logged in once you implement this, you can remove this transition functionality and just authenticate against the new system.