问题
I have a system using MD5 to hash passwords from my users and store it into my database. Now, I'm changing to another system that uses SHA1 (and a unique system SALT, not user-unique) to hash the passwords.
How do I manage to get the user old MD5 password turned into my new SHA1 password with PHP?
回答1:
You can not convert md5 to sha but really your users only use password when they are about to login so you can modify your script a little to do the update automatically
// The user is not authticated yet
$auth = false;
$updated = false;
// From your Login form
$user = $_POST['user'];
$pass = $_POST['pass'];
// Check If the username has update password
$udated = false; // not update
// I gues you always do this
$password = $updated ? md5($pass) : sha1($pass);
// Do the autentication
// Slect from Database
// Check the data
// Set auth
$auth = true;
// Then chage the password
if ($auth == true && !$updated) {
$newpassword = sha1($pass);
// Connect to DB
// Update the Password
// Set Status to Updated in DB
$udated = true;
}
// Better Approch
if ($auth == true && !$updated) {
$newpassword = password_hash($password, PASSWORD_BCRYPT);
// Connect to DB
// Update the Password
// Set Status to Updated in DB
$updated = true;
}
I used password_hash has a better approach because it uses BCRYPT which is a better hash algorithm. See more information on password_compat
回答2:
Sorry, you can't.
The best you could hope for is to store both MD5 and SHA1 versions, and populate the SHA1 content when the user logs in. Just check to see if the SHA1 version is available, and if not use old validation strategy.
You should, eventually, migrate most of your users over to the new SHA1/SALT based system transparently.
回答3:
You can't change the hash type without the user reentering their password. They are irreversiblem one-way hashes. You could, I guess, try to do a lookup in a rainbow table, but since certain hashes have multiple collisions, that wouldn't work 100% of the time either. Also, your salt would render that ineffective. That's the point of having a salt.
回答4:
You would need the original plaintext passwords to create SHA1 versions of them. However, MD5 hashing is of course one way. So unless you happen to have the plaintext version of the passwords there is no way to do what you want.
回答5:
You could build a second SHA1 field into your password table and when users log in, it can check against the md5 hash (if there's no sha1 hash yet) and if it's correct, re-hash it into sha1 and store that. Once all the users have changed over to SHA1 you can remove your md5 field. --Have you salted the MD5 hashes?
来源:https://stackoverflow.com/questions/16863775/most-efficient-way-to-change-the-hash-type-of-a-password-md5-to-sha1