Reputation: 10046
re-crypt sha1 password with bcrypt
So as anyone I have a table where I store users, and right now the passwords are saved using SHA1, and I want to upgrade the passwords to use bcrypt.
Which is the best way to do this?
Make a script that takes every user in the table and UPDATE the table with the bcrypt password? what I'm more interested in is how do I convert an SHA1 pass to bcrypt(php)
Upvotes: 0
Views: 257
Answers (1)
Reputation: 943556
You need the clear text version of the password in order to bcrypt it and the point of a one-way hash is that you can't reverse it. Now, SHA1 is a weak hash, so you could probably brute force it, but you might end up getting a collision and finding incorrect suitable input (and it would take a serious chunk of processing power).
Rewrite your logic that so when someone logs in, you check against the bcrypted password if you have one and the sha1 password if you don't.
Prompt users to change their password when they login while they still have an sha1 password.
Consider moving from a prompt to insisting after a while.
Consider force resetting passwords for everyone still with an sha1 password and sending password reset emails. Make sure you don't look like a phishing attack when you do so!
Upvotes: 4
Related Questions
- How to change my old sha1 passwords to sha256 or Bcrypt values in database field
- PHP - hashing passwords with bcrypt
- How to migrate from sha256 encryption to bcrypt for PHP?
- Convert sha1 to bcrypt?
- How do I store user password with Bcrypt
- Changing sha1 to password_hash Not Working
- Convert SHA256 Password Hashing Class to bcrypt in PHP
- Password Hashing, BCrypt to SHA1/MD5
- Upgrading user passwords from salted SHA1 to bcrypt
- sha1(password) encryption