How do databases/companies change their hashing algorithm?
Ok- so you all probably know that a hash is used to help secure a stored password in a database, if it was stolen.
When a user logs in, and enters a password, it gets hashed, and then matched to a hash in the name of the user that tried to log in (that is stored in a database,) and if they match, the user is ‘allowed’ in. Right?
So what I am wondering is what if said application, let’s call them ‘company-A,’ wanted to change their hashing algorithm from MD5 to the more secure SHA-1, how would they do this?
Because they don’t actually know (or store, more accurately,) your password, they just know your hash, so they couldn’t just re hash your plain text password.
I’m not saying this situation would happen all the time, but it would happen often enough.
These are my thoughts/ideas on how a company or application might approach it:
- They brute force every hash to obtain the original password and then convert that to their new hash algorithm.
Just typing that made me feel stupid! Obviously this is not how said company would go about it- this approach would be ridiculously resource and time consuming!
- This is the most feasible approach I can think of, but it still has some flaws.
Once they decide they want to change their hash algorithm, Company-A waits until a specific user logs in, and enters their password, ‘P@ssword1’. The hash of P@ssword1 matched the hash in Company-A’s database, so they know it is valid, and then P@ssword1 gets hashed again, but hashed into the new SHA-1 hash, and now the new SHA-1 hash replaces the old MD5 hash in Company-A’s database.
Is this theory right? Am I close or far off?
I am interested in knowing this because I feel that this must happen often enough that it could be an issue that companies and databases suffer from.
Please also let me know if this question does not belong in Information Security SE as well!
