How to migrate a password hash?
If I have passwords stored as a salted MD5 hash, but want to move them to use bcrypt, what's the best way to perform that transition? (given that I can't get the passwords back)
Should I bcrypt the md5 h开发者_运维百科ash? Are there cryptographic implications to doing that that I don't want?
Usually, sites simply make users change their passwords. If you add a hash_version field to your users table, you can keep track of the current hash type. When someone with MD5 logs in, make them change their passwords.
After a certain amount of time, you can optionally expire all the remaining MD5 passwords (forcing users to reset to log in).
精彩评论