CODEWITHSUNDEEP
phpmysqldatabasemd5
Elliot S
Elliot S

Reputation: 41

How to I convert from MD5 to any other hash?

I just downloaded my best friends script he used many years ago and all the password is using MD5 hash which I'd like to change. Now I'm not so good in coding so I ask you guys where to start. Do I convert this in the database or in the script? I want from now on everyone who signup have another hash, I'm thinking of SHA-2.

So I guess there should be something that's saying md5 in the code which I'm going to change to SHA-2? Am I right? If anyone here could tell me what the MD5 hash looks like in the code I can just search for that in every file until I find it. Also please tell me how to replace it to SHA-2.

Thank you.

Upvotes: 3

Views: 2903

Answers (3)

Machavity
Machavity

Reputation: 31614

I like Jay's answer but there's an even better way to do this.

You'll need another field in your DB. We'll call it legacy for this example. It's a simple Yes/No and defaults to No. What you do is take all the MD5 hashes you have and you push them into password_hash. Then you write the new hash over the MD5 and set legacy to Yes

When you go to login, you pull their record (based on the username) and you get the password and legacy fields. Then you do something like this

$password = $_POST['password'];
// $result is the result from your query. I like arrays so we'll use that
if($result['legacy'] == 'Yes') $password = md5($password);
if(password_verify($password, $result['password']))

This does two things

  1. You don't need to know what's in the MD5 hashes first
  2. You're still using password_hash regardless

Just remember that if they update their password, set the legacy field to No

Upvotes: 1

Jay Blanchard
Jay Blanchard

Reputation: 34406

Because you cannot decrypt MD5 you can handle the migration like this and make it invisible to the user:

Once you have decided the hashing method to be employed (I recommend using PHP's built-in functions to handle password security.):

  1. Add a new column to the user database for the new hash, based on the hashing method to be employed.

  2. On user login check the table to see if they have an MD5 password (and it matches) and see if the new hash has been entered.

    a. If they do not have a new hash, create one in the new column based on the password they logged in with.

    b. If they do have a new hash verify their password against the new hash.

At a certain point every user, by virtue of logging in, will update their own hashes.

In addition make sure that you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Upvotes: 7

Byson
Byson

Reputation: 550

The md5 hashing function is called md5("my password") or hash("md5", "my password"). You could replace either with hash("sha256", "my password") or hash("sha512", "my password").

But...

These are not very safe either. Use the suggested password_hash() function. This function is just as simple: password_hash(string $password , integer $algorithm), where the algorithm is one of the PASSWORD_* constants.

Read the notes on the function page, and read these notes for the algorithm.

Upvotes: 0

Related Questions