Going from unsalted to salted MD5 passwords

Question

I have a LAMP (PHP) website which is becoming popular.

I played it safe by storing the user passwords as md5 hashes.

But I now see that\'s not secure; I should h

Answer 1

Salt the original hash as mentioned by others. Just a few pointers here:

• Salts are better the longer they are. Also if they contain more then just [a-z0-9] but length is better first of all.
• If someone already has a copy of your DB and you rehash the same passwords with salt, the rehash the old hash with salt will not work. Instead you really should force users to make a new password.
• You should match new passwords (and passwords to be salted) up against various lists of the most commonly used passwords. These are used in "brute force" attacks. Prompt/force the user to change the password.