just looking for some advise. I have a website with around 2500 users - small but growing. I built it with using SHA1 encryption on the passwords. I've since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.
Does anyone have any advice on how to make a transition like this? Would be great if I could decrypt the passwords and just re-hash them but it doesn't appear doing able.
thx Adam
The usual way of going about this is this:
Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don't log in before day X (don't give the actual reason though...)