https://stackoverflow.com/questions/20564054
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianI assume that your question is about how to switch to a better hashing algorithm, when the original password is not known anymore.
To begin with, today it is recommended to use a slow key-derivation function like BCrypt or PBKDF2 to store passwords (not a fast SHA*). If there is no real need to know the original password, you shouldn't store it plaintext. Collisions are not a problem with password hashes.
If you want to switch to a better hashing algorithm, you have two options, either you wait until the user logs in the next time (then you know the original password), or you can double hash the existing hash. The usual workflow will look like this:
- First try to verify the entered password with the new algorithm. New passwords and already converted passwords will not take longer for verification then.
- If it does not match, compare it with the old hash algorithm.
- Should the old hash value match, then you can calculate and store the new hash, since you know the password then.
