Question

I was wondering if there was a method to change the way my site hashed passwords. My coder friend wasn't the smartest when he didn't add salts to the sha512 hash. So now it is very insecure and I wish to change that. I was thinking about making some complicated code to rehash when someone who has the old hash type logs in and it would set the variable to true after adding a salt. Or I could take the currently hashed passwords and somehow fuse a salt into them. I would rather not reset my user database if I don't have to. Any idea would help. I am also quite the php noob so please explain if you include code.

It is Hashed using this method.

<?php hash('sha512',"passwordhere") ?>
Was it helpful?

Solution

  1. Alter your user table to include a 'salt' column, default value of 'NULL'.
  2. Alter your login code to check if the user has a salt:
    • If yes, compare the salted hashes and log in
    • If no:
      1. Compare the unsalted hashes.
      2. Generate a random salt.
      3. Generate your salty hash.
      4. Store your new salt and hash in the database.
      5. Continue the login process.

Of course, you will also need to update your code for registration, password change/recovery, etc.

Alternatively, instead of a 'salt' column you could put in a 'hash_ver' column and use that to determine which validation method to use and when to update the hash. That way if you wish to use a hashing method that packs the salt in with the hash like bcrypt you don't get stuck trying to figure out what type of hash you're dealing with.

OTHER TIPS

Every password-storing-system must have the option to switch to a better hash algorithm, your problem is not a one-time migration problem. In the answer to this question i tried to point out the necessary steps.

Note: Fast hash algorithms like SHA-* are not appropriate to hash passwords, instead switch directly to a slow key-derivation function like BCrypt. The new PHP function password_hash() will make hashing easy (it will generate a safe salt for you), and is "future proof", also it will make switching in future possible.

$old_hash = hash('sha512',"passwordhere");
$salt = ''; // Generate salt here
$new_hash = hash('sha512', $old_hash.$salt) ;
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top