如何将密码迁移到其他哈希方法 [英] How to migrate passwords to a different hashing method

问题描述

在更改应用程序的密码哈希算法时，系统应如何迁移已保存在数据库中的值?我很清楚我无法以其散列格式迁移它们，但是我需要输入数据才能计算出新的散列.

When changing the password-hashing algorithm for an application, how should the system migrate the values already saved in the database? I am well aware of the fact that I can't migrate them in their hashed form but that I need to have the input data in order to calculate the new hash.

在两种情况下，我都可以访问输入数据:

There are two situations in wich I have access to the input data:

1. 登录期间
2. 当用户在个人资料设置中更改密码时

很明显，只有在其中一种情况下，我才能将新的哈希值保存到数据库中以迁移密码.

obviously only during one of these I am able to save the new hash to the database to migrate the password.

尽管我的所有同事都对方法1进行投票，但我的直觉告诉我不要这样做.有推荐的方法吗?

Although all of my collegues are voting for method 1 my gut tells me to not do that. Is there a recommended way?

推荐答案

我认为没有理由不在登录时执行此操作.您是否有理由不想做#1?您针对新哈希进行验证，如果失败，则针对旧哈希算法进行验证.如果可行，我将把新的哈希值写在旧的哈希值上.这意味着您的密码将更快地转换，因为用户登录的次数可能超过他们更改密码的次数.除非您强迫人们这样做，否则我怀疑大多数人会自行改变它.

I see no reason not to do this on logon. Is there a reason you don't want to do #1? You validate against the new hash, if that fails, validation against the old hash algorithm. If that works, I'd then write the new hash over the old one. This means that your passwords will be converted faster, since users probably logon more than they go to change their password. Unless you force people to, I doubt most will change it on their own.

这篇关于如何将密码迁移到其他哈希方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！