MD5 passwords start with $1$
. crypt()
can identify MD5 hashes that way and correctly identifies them (see http://php.net/crypt)
One typical strategy is to determine the hashing type and to update the hash on login, so you can seamlessly update hashes. Ideally you'd use the password_hash()
group of functions since they hide the details and prevent you from implementing it wrongly. Should the php developers ever change their defaults (eg. because they were shown to be unsafe), your application would update hashes automatically after a php update.
They're available natively with php 5.5, but for php >= 5.3.7 there's a compatibility library to be found at https://github.com/ircmaxell/password_compat. It essentially does what you wrote above, just with more options, like using openssl if mcrypt isn't available, and it provides the standard API.