Menu
If I have passwords stored as a salted MD5 hash, but want to move them to use bcrypt, what's the best way to perform that transition? (given that I can't get the passwords back)
Should I bcrypt the md5 hash? Are there cryptographic implications to doing that that I don't want?
602
You can't "reverse" password hashes. You can't "unhash" or "dehash" passwords. You can't "reverse" or "invert" MD5, SHA256, bcrypt, SHA1, or similar hashes, salted or unsalted. You (usually) can't "decode" passwords, "decrypt" password hashes or "reverse" or "unscramble" password hashes at all.
Customer password migration is considered to be among one of the most popular options store owners opt for during the replatforming. By automatically transferring passwords from the Source to the Target store, merchants will save their clients' time and deprive them of the password-recovery hassle.
Windows password hashes are stored in the SAM file; however, they are encrypted with the system boot key, which is stored in the SYSTEM file. If a hacker can access both of these files (stored in C:WindowsSystem32Config), then the SYSTEM file can be used to decrypt the password hashes stored in the SAM file.
Brute force is also used to crack the hash and guess a password from a given hash. In this, the hash is generated from random passwords and then this hash is matched with a target hash until the attacker finds the correct one.
Usually, sites simply make users change their passwords. If you add a hash_version field to your users table, you can keep track of the current hash type. When someone with MD5 logs in, make them change their passwords.
After a certain amount of time, you can optionally expire all the remaining MD5 passwords (forcing users to reset to log in).
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
