I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can’t re-hash the existing ones.
How would you migrate to a new hashing system?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can’t re-hash the existing ones.
How would you migrate to a new hashing system?
Sure you can. Just add a salt to the existing hash and hash it again. Of course this will require any future logins to go through the same process meaning two hash functions will need to be called but lots of legitimate patterns do this anyway so it doesn’t smell as bad as you might think.
Salting a password is an effort to defend against rainbow tables. In this case the salt does not need to be a secret.
http://en.wikipedia.org/wiki/Rainbow_tables#Defense_against_rainbow_tables
You can actually see in the article
Which is the same exact method you would be using. (Except a different hashing function.)