Rectangle 27 0

php Most efficient way to change the hash type of a password (md5 to sha1)?


// The user is not authticated yet
$auth = false;
$updated = false;

// From your Login form
$user = $_POST['user'];
$pass = $_POST['pass'];

// Check If the username has update password
$udated = false; // not update

// I gues you always do this
$password = $updated ? md5($pass) : sha1($pass);

// Do the autentication
// Slect from Database
// Check the data
// Set auth
$auth = true;

// Then chage the password
if ($auth == true && !$updated) {
    $newpassword = sha1($pass);
    // Connect to DB
    // Update the Password
    // Set Status to Updated in DB
    $udated = true;
}

// Better Approch
if ($auth == true && !$updated) {
    $newpassword = password_hash($password, PASSWORD_BCRYPT);
    // Connect to DB
    // Update the Password
    // Set Status to Updated in DB
    $updated = true;
}
BCRYPT
password_hash

You can not convert md5 to sha but really your users only use password when they are about to login so you can modify your script a little to do the update automatically

Note
Rectangle 27 0

php Most efficient way to change the hash type of a password (md5 to sha1)?


You would need the original plaintext passwords to create SHA1 versions of them. However, MD5 hashing is of course one way. So unless you happen to have the plaintext version of the passwords there is no way to do what you want.

Note
Rectangle 27 0

php Most efficient way to change the hash type of a password (md5 to sha1)?


You can't change the hash type without the user reentering their password. They are irreversiblem one-way hashes. You could, I guess, try to do a lookup in a rainbow table, but since certain hashes have multiple collisions, that wouldn't work 100% of the time either. Also, your salt would render that ineffective. That's the point of having a salt.

Note
Rectangle 27 0

php Most efficient way to change the hash type of a password (md5 to sha1)?


The best you could hope for is to store both MD5 and SHA1 versions, and populate the SHA1 content when the user logs in. Just check to see if the SHA1 version is available, and if not use old validation strategy.

You should, eventually, migrate most of your users over to the new SHA1/SALT based system transparently.

Note
Rectangle 27 0

php Most efficient way to change the hash type of a password (md5 to sha1)?


You could build a second SHA1 field into your password table and when users log in, it can check against the md5 hash (if there's no sha1 hash yet) and if it's correct, re-hash it into sha1 and store that. Once all the users have changed over to SHA1 you can remove your md5 field. --Have you salted the MD5 hashes?

Note