Menu
I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones.
How would you migrate to a new hashing system?
877
Sure you can. Just add a salt to the existing hash and hash it again. Of course this will require any future logins to go through the same process meaning two hash functions will need to be called but lots of legitimate patterns do this anyway so it doesn't smell as bad as you might think.
Salting a password is an effort to defend against rainbow tables. In this case the salt does not need to be a secret.
http://en.wikipedia.org/wiki/Rainbow_tables#Defense_against_rainbow_tables
You can actually see in the article
hash = MD5 (MD5 (password) . salt)
Which is the same exact method you would be using. (Except a different hashing function.)
55
As a quick fix, you could create a salt column in the database, and when a user logs in correctly matching the old hash, you can then use that password that they entered with a salt and create a new hash.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
