密码哈希 - 如何升级？

Question

There's plenty of discussion on the best algorithm - but what if you're already in production? How do you upgrade without having to reset on the user?

---

EDIT/DISCLAIMER: Although I originally wanted a "quick fix" solution and chose orip's response, I must concede that if security in your application is important enough to be even bothering with this issue, then a quick fix is the wrong mentality and his proposed solution is probably inadequate.

Answer 1

One option is to make your stored hash include an algorithm version number - so you start with algorithm 0 (eg MD5) and store

0:ab0123fe

then when you upgrade to SHA-1, you bump the version number to 1:

1:babababa192df1312

(no, I know these lengths probably aren't right).

That way you can always tell which version to check against when validating a password. You can invalidate old algorithms just by wiping stored hashes which start with that version number.

If you've already got hashes in production without a version number, just choose a scheme such that you can easily recognise unversioned hashes - for example, using the above scheme of a colon, any hash which doesn't contain a colon must by definition predate the versioning scheme, so can be inferred to be version 0 (or whatever).

Answer 2

A cool way to secure all the existing passwords: use the existing hash as the input for the new, and better, password hash.

So if your existing hashes are straight MD5s, and you plan on moving to some form of PBKDF2 (or bcrypt , or scrypt ), then change your password hash to:

PBKDF2( MD5( password ) )

You already have the MD5 in your database so all you do is apply PBKDF2 to it.

The reason this works well is that the weaknesses of MD5 vs other hashes (eg SHA-*) don't affect password use. For example, its collision vulnerabilities are devastating for digital signatures but they don't affect password hashes . Compared to longer hashes MD5 reduces the hash search-space somewhat with its 128-bit output, but this is insignificant compared to the password search space itself which is much much smaller.

What makes a password hash strong is slowing down (achieved in PBKDF2 by iterations) and a random, long-enough salt - the initial MD5 doesn't adversely affect either of them.

And while you're at it, add a version field to the passwords too.

EDIT : The cryptography StackExchange has an interesting discussion on this method.

Answer 3

等到用户登录（因此您有明文密码），然后使用新算法对其进行哈希并将其保存在数据库中。

Answer 4

One way to do it is to:

• Introduce new field for new password
• When the user logs in check the password against the old hash
• If OK, hash the clear text password with the new hash
• Remove the old hash

Then gradually you will have only passwords with the new hash

Answer 5

You probably can't change the password hashing scheme now, unless you're storing passwords in plain text. What you can do is re-hash the member passwords using a better hashing scheme after each user has successfully logged in.

You can try this:

First add a new column to your members table, or which ever table stores passwords.

ALTER TABLE members ADD is_pass_upgraded tinyint(1) default 0;

Next, in your code that authenticates users, add some additional logic (I'm using PHP):

<?php
$username = $_POST['username'];
$password = $_POST['password'];

$auth_success = authenticateUser($username, $password); 
if (!$auth_success) {
    /**
     * They entered the wrong username/password. Redirect them back
     * to  the login page.
     */
} else {
    /**
     * Check to see if the member's password has been upgraded yet
     */
    $username = mysql_real_escape_string($username);
    $sql = "SELECT id FROM members WHERE username = '$username' AND is_pass_upgraded = 0 LIMIT 1";
    $results = mysql_query($sql);

    /**
     * Getting any results from the query means their password hasn't been
     * upgraded yet. We will upgrade it now.
     */
    if (mysql_num_rows($results) > 0) {
        /**
         * Generate a new password hash using your new algorithm. That's
         * what the generateNewPasswordHash() function does.
         */
        $password = generateNewPasswordHash($password);
        $password = mysql_real_escape_string($password);

        /**
         * Now that we have a new password hash, we'll update the member table
         * with the new password hash, and change the is_pass_upgraded flag.
         */
        $sql = "UPDATE members SET password = '$password', is_pass_upgraded = 1 WHERE username = '$username' LIMIT 1";
        mysql_query($sql);
    }
}

Your authenticateUser() function would need to be changed to something similar to this:

<?php
function authenticateUser($username, $password)
{
    $username = mysql_real_escape_string($username);

    /**
     * We need password hashes using your old system (md5 for example)
     * and your new system.
     */
    $old_password_hashed = md5($password);
    $new_password_hashed = generateBetterPasswordHash($password);
    $old_password_hashed = mysql_real_escape_string($old_password_hashed);
    $new_password_hashed = mysql_real_escape_string($new_password_hashed);

    $sql = "SELECT *
        FROM members
        WHERE username = '$username'
        AND
        (
            (is_pass_upgraded = 0 AND password = '$old_password_hashed')
            OR
            (is_pass_upgraded = 1 AND password = '$new_password_hashed')
        )
        LIMIT 1";
    $results = mysql_query($sql);
    if (mysql_num_rows($results) > 0) {
        $row = mysql_fetch_assoc($results);
        startUserSession($row);
        return true;
    } else {
        return false;
    }
}

There's upsides and downsides to this approach. On the upsides, an individual member's password becomes more secure after they've logged in. The downside is everyone's passwords aren't secured.

I'd only do this for maybe 2 weeks. I'd send an email to all my members, and tell them they have 2 weeks to log into their account because of site upgrades. If they fail to log in within 2 weeks they'll need to use the password recovery system to reset their password.

Answer 6

Just re-hash the plain text when they authenticate the next time. Oah and use SHA-256 with a salt of base256 (full byte) and 256 bytes in size.