开发者

How to migrate a password hash?

If I have passwords stored as a salted MD5 hash, but want to move them to use bcrypt, what's the best way to perform that transition? (given that I can't get the passwords back)

Should I bcrypt the md5 h开发者_运维百科ash? Are there cryptographic implications to doing that that I don't want?


Usually, sites simply make users change their passwords. If you add a hash_version field to your users table, you can keep track of the current hash type. When someone with MD5 logs in, make them change their passwords.

After a certain amount of time, you can optionally expire all the remaining MD5 passwords (forcing users to reset to log in).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜