just looking for some advise. I have a website with around 2500 users –

Question

0

Asked: May 24, 20262026-05-24T11:30:59+00:00 2026-05-24T11:30:59+00:00

just looking for some advise. I have a website with around 2500 users –

0

just looking for some advise.
I have a website with around 2500 users – small but growing.
I built it with using SHA1 encryption on the passwords.
I’ve since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.

Does anyone have any advice on how to make a transition like this?
Would be great if I could decrypt the passwords and just re-hash them but it doesn’t appear doing able.

thx
Adam

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T11:31:01+00:00

The usual way of going about this is this:

Make the hashed-password column larger to accommodate a sha256 hash, and add a ‘salt’ column
Set the salt field to NULL initially, and adjust your password-check code so that a NULL salt means sha1, and non-NULL means sha256
Once a sha1-use has logged in successfully, re-hash the password to sha256 with salt, and update the database.

Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don’t log in before day X (don’t give the actual reason though…)

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

just looking for some advise. I have a website with around 2500 users –

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply