Want to Convert a Website password Encryption from SHA1 to SHA256

Question

just looking for some advise. I have a website with around 2500 users - small but growing. I built it with using SHA1 encryption on the passwords. I've since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.

Does anyone have any advice on how to make a transition like this? Would be great if I could decrypt the passwords and just re-hash them but it doesn't appear doing able.

thx Adam

Answer 1

The usual way of going about this is this:

1. Make the hashed-password column larger to accommodate a sha256 hash, and add a 'salt' column
2. Set the salt field to NULL initially, and adjust your password-check code so that a NULL salt means sha1, and non-NULL means sha256
3. Once a sha1-use has logged in successfully, re-hash the password to sha256 with salt, and update the database.

Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don't log in before day X (don't give the actual reason though...)