We have been using PWDENCRYPT in our site to hash passwords - but want to change it to using HASHBYTES.
Is it possible to make this conversion automatic? I know that it is not possible to decrypt those strings - but what have I to consider to make this conversion?
Thanks in advance for an answer.
I can't think of a way to directly convert between the two, but if you can modify the application code, one solution could be to gradually phase out the use of
PWDENCRYPT.When a user attempts to log in, check if their hashed password is stored with
PWDENCRYPTorHASHBYTES. If the hash is stored withHASHBYTES, validate the entered password and log the user in. If the hash is stored withPWDENCRYPT(and validated) then promt the user to chose a new password before continuing. When the user has chosen a new password, hash it usingHASHBYTES, and blank out thePWDENCRYPThash.After some time, most password-hashes will have been migrated to using
HASHBYTESand you can disable the use ofPWDENCRYPT. If a user who has not yet migrated attempts to log in, they will need to go through the "reset password" process (which of course should useHASHBYTES).DISCLAIMER; if you can modify the application code, I strongly suggest that you instead use some of the built-in mechanisms for hashing and validating passwords, such as Microsofts own PasswordHasher.