How to upgrade a password storage scheme (change hashing-algorithm)

Question

I\'ve been asked to implement some changes/updates to an intranet-site; make it \'future proof\' as they call it.

We found that the passwords are hashed using the MD5

Answer 1

You could store, either in the hash field itself (e.g. "MD5:d41d8cd98f00b204e9800998ecf8427e") or in another column, which algorithm was used to create that hash. Then you'd have to modify the login process to use the correct algorithm when checking the password. Naturally, any new passwords will be hashed using the new algorithm. Hopefully, passwords eventually expire, and over time all of the MD5 hashes will be phased out.