DEVHIDE
Login Or Sign up

Re-Hash user database

323 Views Asked by At

I was wondering if there was a method to change the way my site hashed passwords. My coder friend wasn't the smartest when he didn't add salts to the sha512 hash. So now it is very insecure and I wish to change that. I was thinking about making some complicated code to rehash when someone who has the old hash type logs in and it would set the variable to true after adding a salt. Or I could take the currently hashed passwords and somehow fuse a salt into them. I would rather not reset my user database if I don't have to. Any idea would help. I am also quite the php noob so please explain if you include code.

It is Hashed using this method.

<?php hash('sha512',"passwordhere") ?>
php hash salt password-encryption sha512
Original Q&A
3

There are 3 best solutions below

2
On BEST ANSWER
  1. Alter your user table to include a 'salt' column, default value of 'NULL'.
  2. Alter your login code to check if the user has a salt:
    • If yes, compare the salted hashes and log in
    • If no:
      1. Compare the unsalted hashes.
      2. Generate a random salt.
      3. Generate your salty hash.
      4. Store your new salt and hash in the database.
      5. Continue the login process.

Of course, you will also need to update your code for registration, password change/recovery, etc.

Alternatively, instead of a 'salt' column you could put in a 'hash_ver' column and use that to determine which validation method to use and when to update the hash. That way if you wish to use a hashing method that packs the salt in with the hash like bcrypt you don't get stuck trying to figure out what type of hash you're dealing with.

0
On

Every password-storing-system must have the option to switch to a better hash algorithm, your problem is not a one-time migration problem. In the answer to this question i tried to point out the necessary steps.

Note: Fast hash algorithms like SHA-* are not appropriate to hash passwords, instead switch directly to a slow key-derivation function like BCrypt. The new PHP function password_hash() will make hashing easy (it will generate a safe salt for you), and is "future proof", also it will make switching in future possible.

0
On 
$old_hash = hash('sha512',"passwordhere");
$salt = ''; // Generate salt here
$new_hash = hash('sha512', $old_hash.$salt) ;

Related Questions in PHP

Related Questions in HASH

Related Questions in SALT

Related Questions in PASSWORD-ENCRYPTION

Related Questions in SHA512

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.