Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>A cool way to secure all the existing passwords: use the existing hash as the input for the new, and better, password hash.</p> <p>So if your existing hashes are straight MD5s, and you plan on moving to some form of <a href="http://en.wikipedia.org/wiki/PBKDF2" rel="nofollow noreferrer">PBKDF2</a> (or <a href="http://en.wikipedia.org/wiki/Crypt_(Unix)#Blowfish-based_scheme" rel="nofollow noreferrer">bcrypt</a>, or <a href="http://www.tarsnap.com/scrypt.html" rel="nofollow noreferrer">scrypt</a>), then change your password hash to:</p> <pre><code>PBKDF2( MD5( password ) ) </code></pre> <p>You already have the MD5 in your database so all you do is apply PBKDF2 to it.</p> <p>The reason this works well is that the weaknesses of MD5 vs other hashes (e.g. SHA-*) don't affect password use. For example, its collision vulnerabilities are devastating for digital signatures but they <a href="http://en.wikipedia.org/wiki/Chosen-prefix_collision_attack#Attack_scenarios" rel="nofollow noreferrer">don't affect password hashes</a>. Compared to longer hashes MD5 reduces the hash search-space somewhat with its 128-bit output, but this is insignificant compared to the password search space itself which is much much smaller.</p> <p>What makes a password hash strong is slowing down (achieved in PBKDF2 by iterations) and a random, long-enough salt - the initial MD5 doesn't adversely affect either of them.</p> <p>And while you're at it, add a version field to the passwords too.</p> <p><strong>EDIT</strong>: The cryptography StackExchange has an <a href="https://crypto.stackexchange.com/questions/2945/is-this-password-migration-strategy-secure">interesting discussion</a> on this method.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload