All geek questions in one place

The most efficient way to change the password hash type (md5-sha1)

I have a system that uses MD5 for hash passwords from my users and stores it in my database. Now I'm moving on to another system that uses SHA1 (and a unique SALT system, not a unique one for the user) to hash passwords.

How do I make an old MD5 user password turn into my new SHA1 password with PHP?

+3
source share
5 answers

You cannot convert md5 to sha , but actually your users only use the password when they are about to login , so you can change your script a little to automatically update

 // The user is not authticated yet $auth = false; $updated = false; // From your Login form $user = $_POST['user']; $pass = $_POST['pass']; // Check If the username has update password $udated = false; // not update // I gues you always do this $password = $updated ? md5($pass) : sha1($pass); // Do the autentication // Slect from Database // Check the data // Set auth $auth = true; // Then chage the password if ($auth == true && !$updated) { $newpassword = sha1($pass); // Connect to DB // Update the Password // Set Status to Updated in DB $udated = true; } // Better Approch if ($auth == true && !$updated) { $newpassword = password_hash($password, PASSWORD_BCRYPT); // Connect to DB // Update the Password // Set Status to Updated in DB $updated = true; }

I used password_hash , which has a better approach, because it uses BCRYPT , which is the best hash algorithm. Additional information about password_compat

+5
source

Sorry, you can’t.

The best you can hope for is to save both the MD5 and SHA1 versions and fill in the contents of SHA1 when the user logs in. Just check if the SHA1 version is available, and if you are not using the old validation strategy.

Ultimately, you must migrate most of your users to the new SHA1 / SALT based system.

+4
source

You cannot change the hash type without re-entering the password. They are irreversible one-way hashes. You could, I suppose, try to search the rainbow table, but since some hashes have multiple collisions, this will not work 100% of the time. In addition, your salt will make it ineffective. What is salt.

+1
source

To create SHA1 versions, you need the source plaintext passwords. However, MD5 hashing is, of course, one way. Therefore, if you do not have an open text version of the passwords, you will not be able to do what you want.

+1
source

You can create a second SHA1 field in your password table, and when users log in, it will be able to check the md5 hash code (if there is no sha1 hash yet), and if it is fixed, reinstall it in sha1 and save it. When all users switch to SHA1, you can remove the md5 field. - Did you stick MD5 hashes?

+1
source

Source: https://habr.com/ru/post/949163/

More articles:


All Articles