Normally it’s not necessary to reset the passwords, one can just wait until the user logs in the next time.
- First try to verify the entered password with the new algorithm. New passwords and already converted passwords will not take longer for verification then.
- If it does not match, compare it with the old hash algorithm.
- Should the old hash value match, then you can calculate and store the new hash, since you know the password then.
Every password-storing-system must have the option to switch to a better hash algorithm, your problem is not a one-time migration problem. Good password hash algorithms like BCrypt have a cost factor, from time to time you have to increase this cost factor (because of faster hardware), then you need the exact same procedure as you need for the migration.
Your option 2 with hashing the old hash is a good thing, if your first algorithm is really weak, and you want to give more protection immediately. In this case you can calculate a double-hash and replace the old hash in the database with the new double-hash.
$newHashToStoreInTheDb = new_hash($oldHashFromDb)
You should also mark this password-hash (see why), so you can recognize it as double-hash. This can be done in a separate database field, or you can include your own signature. Modern password hash functions also include a signature of the algorithm, so that they can upgrade to newer algorithms, and still can verify older hashes. The example shows the signature of a BCrypt hash:
$2y$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa
___
|
signature of hash-algorithm = 2y = BCrypt
The verification would run like this:
- Decide whether it is a double-hash.
- If it is a new hash, call the new hash-function to verify the entered password, and you are done.
- If it is a double-hash, compare it with the double-hash algorithm
new_hash(old_hash($password)). - Should the double-hash value match, then you can calculate and store the new hash.