Want to Convert a Website password Encryption from SHA1 to SHA256
just looking for some advise. I have a website with around 2500 users - small but growing. I built it with using SHA1 encryption on the passwords. I've since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.
Does anyone have any advice on how to make a transition like this? Would be great if I could decrypt the passwords and just re-hash them but it doesn't appear doing able.
thx Adam
Answer
The usual way of going about this is this:
- Make the hashed-password column larger to accommodate a sha256 hash, and add a 'salt' column
- Set the salt field to NULL initially, and adjust your password-check code so that a NULL salt means sha1, and non-NULL means sha256
- Once a sha1-use has logged in successfully, re-hash the password to sha256 with salt, and update the database.
Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don't log in before day X (don't give the actual reason though...)