>>Migrated stored user passwords to a safer format (from salted sha1 to ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

rsoto on Dec 27, 2011 | parent | context | favorite | on: What I Did in 2011

>>Migrated stored user passwords to a safer format (from salted sha1 to bcrypt).

I'm curious on how to do that? I'm guessing you add another field and wait for the user to log in and if it matches, you salt and hash the new password field with the new function.

daeken on Dec 27, 2011 [–]

You can do that, but it has the problem that until the user logs in, the password is in a dangerous form. If you bcrypt the salted SHA1ed form, though, you increase complexity slightly but get a complete conversion immediately.

Consider applying for YC's W25 batch! Applications are open till Nov 12.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact