How to upgrade a password storage scheme (change hashing-algorithm)

Question

I\'ve been asked to implement some changes/updates to an intranet-site; make it \'future proof\' as they call it.

We found that the passwords are hashed using the MD5

Answer 1

You should change your password database to store 3 items:

1. An algorithm identifier.
2. A random salt string chosen by the server when it first computes and stores the password hash.
3. The hash of the concatenation of salt+password using the specified algorithm.

Of course these could just be stored together in one text field with a delimiter:

"SHA256:this-is-salt:this-is-hash-value"

Now convert you existing entries to a value with empty salt and the old algorithm

"MD5::this-is-the-old-md5-hash-without-salt"

Now you have enough information to verify all you existing password entries, but you can also verify new entries (since you know which hash function was used). You can convert the old entries to the new algorithm the next time the existing users login since you will have their password available during this process:

1. If your database indicates they are using the old algorithm with no salt, first verify the password the old way by checking that the MD5 hash of the password matches. If not, reject the login.
2. If the password was verified, have the server choose a random salt string, compute the SHA256 hash of the salt+password, and replace the password table entry with a new one specifiy the new algorithm, salt and hash.
3. When the user logs in again, you'll see they are using the new algorithm, so compute the hash of the salt+password and check that it matches the stored hash.

Eventually, after this system has been running for a suitable time, you can disable accounts that haven't been converted (if desired).

The addition of a random salt string unique to each entry makes this scheme much more resistent to dictionary attacks using rainbow tables.