4

I have this website, with a simple CMS, and when users register, their password gets encrypted in MD5.

But since I don't like this encryption, and I was already building my CMS again, I changed the hash as well.

Now, is their a way to change the MD5 in another encryption method, without losing my database users?

jarlh
  • 42,561
  • 8
  • 45
  • 63
Explorer
  • 43
  • 2
  • 1
    You could use 2 columns with old and new hash untill all users looged in again with the new method. – juergen d Apr 27 '16 at 11:09
  • 3
    See https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016 - there's a section towards the end about updating hashes. – iainn Apr 27 '16 at 11:10
  • 1
    if you have a password reset function. request all users reset their password via the new hashing method – Matt Apr 27 '16 at 11:11
  • Thank you very much! Didn't think about creating a second column yet, but I like the idea! And I will read the article as well! Thanks guys. – Explorer Apr 27 '16 at 11:12
  • @jarlh: How do you know it is SQL-Server? – juergen d Apr 27 '16 at 11:18
  • @juergend, Oops, did I jump to conclusions? – jarlh Apr 27 '16 at 11:19
  • OP does not mention any DB engine. – juergen d Apr 27 '16 at 11:20
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 27 '16 at 12:38

2 Answers2

4

You could add 3 new columns in your database where the passwords are kept.

newPassword, newSalt ,isRequired

Here you can save the new salts created by the new passwords (if using hashing like phps password_hash), the new hashed password and if this is their first login attempt since the hashing update.

Method

You will need to modify the login script to check if isRequired is YES. if so pull the old hashed password and old salt otherwise use the new password and new salt.

For all current users, set isRequired to YES.

On user login, if the isRequired value is YES redirect the user to a password reset page otherwise continue as normal.

This password reset page is essentially the new register page but modified for current users so they don't have to create new usernames etc depending on how you deal with the data.

When the user resets their password, this will be hashed with the new method and stored in the database as per usual in the 'new' sections and set the isRequired value to NO..

For new users, make sure the register page put their password into the newPassword column and makes isRequired NO.

Down the line

Eventually when all the isRequired values are NO you can update your database and coding to remove all old columns that are not in use any more, remove all code related to the MD5 hashing etc.

If some old users still have not changed their passwords you can remove their user and make them re-register. Perhaps send an email to all users saying if you have not updated their password before x day their data will be removed and they will have to re register.

Matt
  • 1,749
  • 2
  • 12
  • 26
  • You really shouldn't use your own salts on password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://codereview.stackexchange.com/questions/79668/login-with-password-hash) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 27 '16 at 12:39
  • @JayBlanchard when I say own salt i mean creating one such as `$random_salt = mcrypt_create_iv(24, MCRYPT_DEV_URANDOM);` – Matt Apr 27 '16 at 12:40
  • Since the PHP functions has a built in random salt generator and stores the salt with the hash there is no need to have the additional code. – Jay Blanchard Apr 27 '16 at 12:42
  • @JayBlanchard Whilst true, the post is theoretical and 'how to' rather than specific code. the OP can decide how to generate his own salt. – Matt Apr 27 '16 at 12:56
  • True dat @Matt. Anyhow, I liked your approach to the problem and I'll be using it for a similar issue. I had almost arrived at the method, but reading your post solidified it for me! ¯\\_(ツ)_/¯ – Jay Blanchard Apr 27 '16 at 12:58
  • @JayBlanchard glad it helped you out as well :) – Matt Apr 27 '16 at 13:26
2

MD5 is a hash - not an encryption. It doesn't hold the whole data in it - works like an identifier to data. So it cannot be decrypted. So basically you cannot change the existing users' passwords to your own encryption without not hampering them.

More for study:

http://en.wikipedia.org/wiki/MD5#Algorithm

https://stackoverflow.com/a/2717958/926943

Community
  • 1
  • 1
Himel Nag Rana
  • 744
  • 1
  • 11
  • 19