All geek questions in one place

Updating user passwords from salted SHA1 to bcrypt

I was hired to restore an actively used application that was created on CodeIgniter 1.7.3 (on a PHP 4.2 server) using Laravel 4 on a new PHP 5.3 server.

The system has about ~ 500 users whose passwords are encrypted using the SHA-1 hash. I would like to use bcrypt to improve application security, as well as to integrate with the Laravel 4 authentication system.

How do you suggest transferring these user passwords?

+6
source share
3 answers

The whole point of the hash is that it is impossible to restore the original password.

You have three options:

  • Store the bcrypt hashes of the SHA1 hashes, then SHA1 hashes each password before encrypting it every time you log in.
    This may not be a good idea.

  • Refresh each hash the next time the user logs in. (so you have plain text for the hash)
    This is the best option, but you need to save the SHA1 hashes and transition code until each user logs in

  • Reset each user to a random encrypted password and force everyone to use the Forgot Password to change it.
    You probably don't want to do this.

+10
source
  • Add a column to your database that tells the system which hash algorithm was used
  • When logging in, check your credentials as usual.
  • If they use the old one, and the login is completed successfully - bcrypt the entered password and update their password and algorithm in the database.
+7
source

You can create a random password for each user and send an email notification with all your new password. But this will lead to confusion if the user does not see the letter.

I recommend that you add another db field for the bcrypt value, and then create a record when the user logs in for the first time after the change. You can use either a separate field or delete the old hash for tracking.

When your active users migrate, feel free to use the random password method for the rest of your user base to complete the migration.

+1
source

Source: https://habr.com/ru/post/955191/

More articles:


All Articles