All geek questions in one place

Convert sha1 to bcrypt?

I have a PHP application that has a somewhat decent user base. Now, unfortunately, he has been using sha1 ($ password. $ Salt) all these years, and I really want this to be in favor of bcrypt. I found some good ways to get a Blowfish hash, but I'm still not sure what I should use for the conversion. Here are my options:

Option 1

Every time a user logs in, I check to see if the hash starts at $ 2. If not, I assume it is sha1, enter the password entered by the user, get the bcrypt hash for it and replace the old hash in the database.

Option 2

I will replace my auth class to do this:

$hash = password_hash("rasmuslerdorf", sha1($password . $salt));

Thus, the conversion is faster.

But honestly, I donโ€™t really like any of the options. Both suggest that I still keep the deprecated check in the codebase I want to get rid of.

Any suggestions which of the above two are better in terms of coding standards? Or does anyone have a better solution?

+6
source share
2 answers

Each password storage system should be able to switch to the best hashing algorithm, your problem is not a one-time transfer problem, as you think. Good password hash algorithms such as BCrypt have a cost factor, from time to time you have to increase this cost factor (due to faster hardware), then you need the same procedure as for migration.

Your option 1 is a convenient approach if the hashes are not terribly unsafe (unsalted or very weak algorithm). In PHP, the new API password , you will even have the password_needs_rehash () function to determine if an update is necessary.

I would recommend leaving a residual stay in the code, you will save your customers from the hassle to confront your users with the wrong password. As a user, I donโ€™t like emails that require clicking a link and re-entering my password, users learn to ignore such email due to phishing. As mentioned earlier, such code backups are not bad, it is a necessary step for the safe handling of passwords.

+2
source

Add a new DB col, say [passNeedSystemUpdate], your default value will be 1. 1 = true or yes and 0 = na.

Process the userโ€™s input as usual until you reach the end, and then run a check to check if passNeedsSystemUpdate = 1. If the password needs to be updated, we take users from the password field and update the new password along with passNeedSystemUpdate which will now be 0.

NOTE. If in case of violation or absence of your database, users will have no choice but to create a completely new password. Above all, there is little logic to use if you are changing your current encryption from sha256 to swcrypt or something else.

0
source

Source: https://habr.com/ru/post/949160/

More articles:


All Articles