How to upgrade a password storage scheme (change hashing-algorithm)

Question

I\'ve been asked to implement some changes/updates to an intranet-site; make it \'future proof\' as they call it.

We found that the passwords are hashed using the MD5

Answer 1

The best answer is from an actual cryptography expert https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#legacy-hashes

This post also helps explain which hashing you should use. It's still current even if it says 2016. If in doubt use bcrypt.

Add a column to your user accounts table, called legacy_password (or equivalent). This is just a Boolean

Calculate the new stronger hash of the existing password hashes and store them in the database.

Modify your authentication code to handle the legacy flag.

When a user attempts to login, first check if the legacy_password flag is set. If it is, first pre-hash their password with your old password hashing algorithm, then use this prehashed value in place of their password. Afterwards (md5), recalculate the new hash and store the new hash in the database, disabling the legacy_password flag in the process.