Abhay Naik
Reputation: 405
How to migrate from sha256 encryption to bcrypt for PHP?
For Login :
$rows = $sql->fetch(PDO::FETCH_ASSOC);
$us_id = $rows['id'];
$us_pass = $rows['password'];
$us_salt = $rows['password_salt'];
$status = $rows['attempt'];
$saltedPass = hash('sha256', "{$password}{$this->passwordSalt}{$us_salt}");
For Register :
$randomSalt = $this->rand_string(20);
$saltedPass = hash('sha256', "{$password}{$this->passwordSalt}{$randomSalt}");
How can this sha256 encryption method be converted to bcrypt?
Upvotes: 3
Views: 2065
Answers (1)
Grokify
Reputation: 16324
Password Hashing Using bcrypt
If you are using PHP 5.5 or later, you can use the built-in password_hash() function with the $algo parameter set to PASSWORD_BCRYPT to create bcrypt hashes. You can use this as so:
$options = array('cost' => 11, 'salt' => 'my_salt');
$hash = password_hash("my_secret_password", PASSWORD_BCRYPT, $options);
Migration
It's not possible to do a bulk migration from sha256 to bcrypt because you need the original plaintext data (password) which isn't available.
Typically, sites do a staged conversion where you convert users as they perform successful logins. For example:
- create a field in your database for password has type, sha256 or bcrypt
- upon login, verify the password using the type in the database
- if sha256 and successful, create a new bcrypt entry using the entered password, store that and update the password type to bcrypt. On the next login, bcrypt will now be used for verification.
Upvotes: 4
Related Questions
- Migrate from SHA256 hashed passwords to BCRYPT in PHP7+MySQL
- Change password_hash to bcrypt
- Convert sha1 to bcrypt?
- Convert SHA256 Password Hashing Class to bcrypt in PHP
- Password Hashing, BCrypt to SHA1/MD5
- Upgrading user passwords from salted SHA1 to bcrypt
- Bcrypt with PHP 5.4.16 - level of work
- bcrypt on php 5.2 or 5.3
- Good php alternative to bcrypt encryption when it's not available?
- PHP Bcrypt hashing