0

Hi guys recently I started using 

$salt = $uniqueSalt;

$cryptpassword = md5($salt.$password);

How would I convert all password in my mysql database with this so it doesnt affect the users?

the passwords in my database atm are in plain text, I want to convert all the plain text passwords to md5 with the salt

user1250526
  • 309
  • 5
  • 11
  • 27
  • 1
    A salt should not be unique for each hash. – Gumbo May 07 '12 at 18:17
  • 3
    @Gumbo: Don't you mean a salt *should be* unique for each hash? – gen_Eric May 07 '12 at 18:20
  • 1
    @Rocket Yes, of course; I’ve altered the sentence and not it’s quite the opposite of what I wanted to say. Unfortunately, I can’t edit it again. – Gumbo May 07 '12 at 18:23
  • 1
    If you want to hash your passwords, check out phpass and this question http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords. – Zombaya May 07 '12 at 18:23

2 Answers2

3

I recommend you read more about salts and how to use them. They should not be a constant string, but something unique to each user. For example username. Or my personal favorite: registration date (with the precision of 1 second, of course).

Also, if you store the passwords in your DB as MD5 hashes, there's no way to convert the passwords. MD5 is one way hashing, you can't obtain the original passwords in order to apply the salt and rehash. If you absolutely want to apply this, then the only way you can do this is force each user to change his password and apply the new algorithm when they do. There are 2 problems with this:

  • most users are not going to like this
  • you must keep track of which user made the change and which didn't. This is to prevent problems when logging in.
Radu Murzea
  • 10,724
  • 10
  • 47
  • 69
  • 1
    You don't have to force users to change their passwords. You could upon logging in of the user first check if they are allready on the new hashing system and if not check his password with the old system and if correct, generate the new hash based on the password he supplied. If he was allready on the new system, just verify with the new hashing system. After a while you could however force the users to reset their password to fully move to the new hash-system. – Zombaya May 07 '12 at 18:28
  • @Zombaya You're right. I didn't think of this. Thanks for the tip :) . – Radu Murzea May 07 '12 at 18:29
  • It's better to use an iteration count in addition to the hashing (MD5 hashing is *very* fast nowadays, never mind those rainbow tables). And the best way to apply an iteration count is to use an algorithm like bcrypt or PBKDF2. – Maarten Bodewes May 07 '12 at 22:27
  • SoboLAN, registration date does not sound very unique to me, and neither does the username. An attacker could easily compare MD5 values between different sites, for instance. It's probably best to prepend the username with your server's hostname to make it unique across sites, or even better, to store a secure random salt (8 bytes or more) for each user. – Maarten Bodewes May 07 '12 at 22:30
  • @owlstead When I say registration date, I mean to the precision of 1 second. But you're right: a combination of such elements must be used for the salt :) . – Radu Murzea May 08 '12 at 06:00
  • I don't think you understand right, and I know I have to use a unique salt, either way I would like to convert all password in the current database (which arent hashed!!) – user1250526 May 08 '12 at 12:36
  • Are you saying the passwords are currently stored as plain-text ? – Radu Murzea May 08 '12 at 12:43
  • exactly, I want to convert them all to md5 with the $uniqueSalt I am using would you say is possible? I am not trying to convert anything back, but converting plain text into md5 – user1250526 May 08 '12 at 14:26
0

just like this, but you have to change your login, so you dont check for their password but for md5($salt.$password);

but as my forposters said, its not much securer and if the password isnt already plain in your database you probably wont get it as plain text if it has been hashed

Soundz
  • 1,308
  • 10
  • 17