Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have an existing database with about 1.6 million users in it. Currently the passwords are stored as salted SHA1, I’d like to upgrade them all to salted SHA256.
The approach I’ve taken so far if to migrate each user as they login, essentially validate their password against the old hash and if it matches create a new stronger hash. This works fine, but it’s a slow process.
As far as I can see there is no easy way to shortcut this process. Is there a better way?
What you describe is an appropriate and legitimate method of migrating users from a weaker/older hash algorithm to a stronger/newer hash algorithm. I have successfully implemented this technique in multiple situations. Trying to migrate everyone at once is a horrible UX idea and then you run into the problem of needing to mail out passwords, which is a bad idea for multiple reasons, both security and UX.
I would suggest that since you are undertaking such an effort now, that you consider using a different algorithm than salted SHA-256. Salted SHA-512 offers a higher level of security, and implementing a scheme where you stretch the hash is even better (do some high number of iterations of SHA-512 – starting with the password+salt of course). Or, you can take advantage of an algorithm already specifically designed for password hashing such as bcrypt, scrypt, or PBKDF2.