I use asp.net forms authentication to handle hashing/salting to and from plaintext passwords to the DB. This project was set up to use SHA-1 hash as the algorithm, but I am thinking about switching to something like BCrypt or PBKDF2 and was wondering how people usually make a transition like this.
Somehow I have to deal with the current passwords in the db hashed with SHA-1 and then new passwords will be hashed by something else. I could store a bit in the DB that lets me know which one it is, and then force a pw reset on everybody, but I don’t know how easy this would be to do since I can’t modify the forms authentication authentication code that does this for me. Also, the encrypted password field in the db may be two different column types for the two different hashes (may need a bigger column for new algorithm).
You could first hash with the new algorithm and test to see if that matches. If it does not match then you could hash with the old algorithm and see if that matches. If it does then overwrite with the hashed value from the new algorithm that you computed first. This way you can gradually shift everyone to the new algorithm behind the scenes when they log in.
Also, if you are really worried that storing the older hash values is insecure, you could double-hash them with the new algorithm. So your second check would compute the hash with the old algorithm and then hash that result with the new algorithm before checking for a match.