Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,376
    Thanks
    263
    Thanked 32 Times in 31 Posts

    converting md5 password to sha256 with salt

    I am moving one of my sites over to a new script.
    Rather than have to go thru all the motions to convert an md5 varchar40 password to a sha256 varchar64 with salt password i am thinking it would be better to just assign a random password to each account, then have the members use the forgot password routine to set their password back..

    Sounds like it would work must better. Besides its only a 200 member site.

  • #2
    Regular Coder
    Join Date
    Jun 2009
    Posts
    139
    Thanks
    3
    Thanked 20 Times in 20 Posts
    Two better options (both require more work) would be to either

    1)

    Add the new SALT + Sha256 below the current one, so you are salting then encrypting the MD5.

    2) Setup as part of your login a request to reset password prompt upon login. More professional, you would just need an extra column in your passwords to see if they use new or old. And then in your login script use the login script based on old or new..


    I guess the question is will your customers believe you, or will they think you have lost their passwords -> loss of business

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,614
    Thanks
    0
    Thanked 645 Times in 635 Posts
    The only way to make the change without your visitors knowing would be if you add the new password field while retaining the old one.

    The first time they log in after you make the change you hash their password both ways to validate against the old field and to save in the new field. You then clear the old field to indicate that any subsequent logins should validate against the new field.

    Once all the old password fields have been cleared through everyone having logged in and set their new hash you can then delete that column from the database.

    That's the only way you can convert from one hash to a different hash as only the individuals know what their actual password is to be able to enter it.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    durangod (05-13-2013)

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,304
    Thanks
    57
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    I'm with felgall on this as it offers a completely transparent update that your users will never notice and that is really the best way forward. Requiring all your users to reset their passwords will be unwanted hassle for your users.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #5
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,376
    Thanks
    263
    Thanked 32 Times in 31 Posts
    Thank you all, appreciate all your input... well the users do know about the conversion, i sent out a mass email asking them for their input and that i had the idea about changing the script over to a FB (facebook) dashboard style front end. Although i personally hate FB their front end style does seem to be poplular and my traffic is suffering.

    So as i said i sent out a mass email explaining my idea that changing the front end may result in more traffic and more traffic means more potential members. I very rarely get feedback from emails like this from the members but i do it as a courtesy. But this time a ton of them wrote back and said heck yes, although they like my site they LOVE the FB layout and they cant wait for me to convert.

    So i guess im commited to the idea now hell or high water lmao...

    But anyway they do know that there may be some data loss and may be some site down time..
    Last edited by durangod; 05-13-2013 at 02:43 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •