3

Okay so if a company decides to use md5 for hashing passwords after a million users already registered how the hell will they transition to any other way of storing passwords. As they don't have plaintext to convert them into the new hashing function.

Comments
  • 2
    They can either reset all the passwords and force users to create new ones, or they can reverse lookup the passwords. MD5 hashes are known to be that insecure.
  • 7
    Simple. Next time a user logs in save a new hashed password with another hashin algorithem. Mark the user as using new hash.
  • 2
    @rokxer i thought of that too. But that would mean there could be still passwords with md5
  • 2
    @rjcrystal I would use @rokxer solution, till most of the users has updated there password. (Or within n days/months) And the rest after that will get there password reset.
  • 0
    Something about rokxer's solution makes me feel uneasy, security-wise..
  • 0
    @garrettw exactly what about hash collisions?
  • 0
    Why don't they just hash the MD5s?
  • 0
    @rjcrystal I dunno, it's just my spidey sense tingling. It's probably nothing.
  • 0
    @Gatgeagent what would that accomplish?
  • 0
    Nahh, just hash the md5's with another algorithm, store those hashes and remove all md5 ones. Takes double hashing at login but should work I'd imagine
  • 0
    @garrettw If they would hash them(the MD5s) with bcrypt/scrypt, or Argon2, they are pretty secure, in all cases definitely much more secure.
  • 0
    Oh, right. I thought you were suggesting to MD5 the MD5s. Lol
Add Comment