0

Client wants to switch its password hashing from SHA-1 to SHA-256 but can anyone suggest how to migrate old users to new hashing. I have already two strategies that are mentioned below.

  1. Force Password change: By enabling force password change every user has to change his/her password one time.

  2. Change Password on Login: When user enters his/her password first check correct password with old hashing than update password in DB with new hashing.

But in both above methods I have to keep both hashing's in the code but client wants to remove SHA-1 from code. Is there any other approach to tackle this issue.

Muhammad bux
  • 36
  • 1
  • 6
  • during the transition you have to keep both password but as soon as the user as change or logged in you can remove the old hash. – JEY Nov 08 '21 at 08:13
  • You can also before the transition hash the current hash with another hash function and combine those two in your login handler. – JEY Nov 08 '21 at 08:26
  • Can you communicate user to Reset their password through some channel and provide some unique tokens by using which they can update their password on relogin like some OTP based password update? – Samarth Nov 08 '21 at 09:02
  • You have to stick with a rolling migration. Otherwise you would need to reverse all hashes and then rehash them. And this would take a very long time. https://stackoverflow.com/a/2235104/7082956 – Valerij Dobler Nov 08 '21 at 09:02
  • Not really no, that's why it's called a secure hash. You have to also consider that there will usually be old users who won't be logging in, so you have to have quite a long lead period for them to change their password and then decide if you want to force them to re-register altogether if you don't hear from them. – eis Nov 08 '21 at 09:10
  • If you're changing password hashes anyway then change to a purpose-designed password hash like argon2. – President James K. Polk Nov 08 '21 at 23:03

0 Answers0