Update old stored md5 passwords in PHP to increase security

Question

At the moment I have a database with md5 passwords stored, a few years back this was considered a little more secure than it is now and it\'s got to the point where the pass

Answer 1

Do not nest md5 inside your sha512 hash. An md5 collision then implies a hash collision in the outer hash, too (because you are hashing the same values!)

The common way of storing passwords is to use a scheme such as

When validating the password, you read and from this field, reapply them to the password, and then check that it produces the same .

Check the crypt functions you have available. On a modern Linux system, crypt should be able to use sha512 password hashing in a sane way: PHP crypt manual. Do not reinvent the wheel, you probably just screw up more badly than md5, unless you are an expert on cryptographic hashing. It will even take care of above scheme: the Linux standard is to use $ as separator, and $6$ is the method ID for sha512, while $2a$ indicates you want to use blowfish. So you can even have multiple hashes in use in your database. md5 hashes are prefixed with $1$$ (unless you reinvented md5 hashing, then your hashes may be incompatible).

Seriously, reuse the existing crypt function. It is well checked by experts, extensible, and compatible across many applications.