stackoom
  简体   繁体   中英

Updating md5 passwords with the php password_hash function

 原文  2016-09-09 11:46:59       php/ mysql/ pdo

Question

I have a database with accounts that still use the MD5 algorithm which is old and unsafe, so I wanted to update the passwords with the password_hash function in php.

I made a login for users with a md5 password so they can be prompted with an update field to update their password. It all works and I see the new hash string in the database. But when I want to login using their new password it's just not possible.

I use a PDO update query to update the passwords, does anyone have a solution or know if this is even possible?

Thanks in advance, Bram.

EDIT:

This is the code I use to verify the passwords.

if (password_verify($password, $rowofusers['passwordhere'])) {
       //code here
      }

1 answers

solution1
 2 ACCPTED  2016-09-09 12:03:36

As mentioned, the correct way to do this can be completely transparent to the user and should not require an " update password prompt ".

When the user tries to log in take the following steps to modify your login process accordingly.

  1. Check if the hash in the db starts with $2y$ to determine if the password should be check with md5 or password_verify . If it does start with $2y$ then just use password_verify and ignore the remaining steps ( continuing on with the rest of your normal login process ).
  2. If the password hash in the database does not start with $2y$ then first, check the plain-text password against its md5 hash.
  3. If the plain-text password's hash doesn't matches the md5 hash in your database continue with normal failed authentication process and ignore the remaining steps here
  4. If the plain-text password's hash does match the md5 hash in your database then take the plain-text password and run it through password_hash and update your database with the newly generated BCRYPT hash from password_hash .

You would have to keep this code in your login process until all passwords in your database have been updated and no remaining md5 hashes are left. The user will never know that their password hash is updated and never be prompted to enter their password twice as it's completely unnecessary.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Convert old md5 passwords to password_hash Converting md5 password hashes to PHP 5.5 password_hash() PHP function to use password_hash, hash or MD5 depending on availability Switching from md5 to password_hash using php password_hash passwords with freeradius PHP Password_Hash Function How to hash all passwords from DB using PHP password_hash function How to use PHP's password_hash to hash and verify passwords PHP Verifying passwords using password_verify and password_hash Sanitizing passwords for password_hash()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM