i guess that algorithms used to crypt password becomes weaker year after year due to the new technologies (CPU more powerful, GPU…),
So; does this mean that a user registred in 2006 is less protected than who has registred in a 2012?
Then; how to update the password of that user of 2006? (for example Yahoo, if am registred since 2006, then my password takes less time to crack than the password i’ll put in 2012, so how Yahoo will do to update my password to the new powerful system?)
In other words: how to migrate from a system to another (from MD5 to Bcrypt for example for the existing MD5-hashed passwords)
There are two actual problems:
The latter one is fixed by changing the way you normally hash and store passwords in your database. You can already do this every time a user logs in when their password is stored in the old format.
The first one requires an actual change of the password and you should ‘force’ users to update their password every so often and check (or at least indicate) password strength when they enter a new one.
Another way to counter the increased CPU power is to limit the number of password tries after a number of failed ones and thus prevent brute forcing of the password.
In general though I think proper management of password storage is lacking in most websites and systems.