How to upgrade a password storage scheme (change hashing-algorithm)

Question

I\'ve been asked to implement some changes/updates to an intranet-site; make it \'future proof\' as they call it.

We found that the passwords are hashed using the MD5

Answer 1

First, add a field to the DB to identify whether or not the password is using MD5 or the new algorithm.

For all passwords still using MD5:

-- In the login process, where you verify a user's entered password: temporarily store the user's submitted password in memory (no security issue here, as it is already in memory somewhere) and do the usual MD5 hash & compare with the stored hash;

-- If the correct password was given (matches the existing hash), run the temporarily stored password through the new algorithm, store that value, update the new field to identify that this password has been updated to the new algorithm.

(Of course you would just use the new algorithm for any new users/new passwords.)