How are you going to rehash them without having the cleartext password? Hash the SHA1s to bcrypt and then check every password's bcrypt and SHA1*bcrypt's password from then on?
Half measures are not solutions. Keeping insecure hashes on hand was the main mistake, full stop.
They'd still have leaked all of the insecure hashes of people who never logged in after the change in 2012 -- and that's still not good enough.
Immediate remediation means never keeping toxic hashes on hand, and never having to say to any subset of your customers "Sorry, but your password has been compromised due to our incompetence".
CiPHPerCoder|6 years ago
Don't make this mistake. Rehash all of them up front.
The details of whether or not users are forced to change their password is irrelevant to the escape route from this trap.
nameismypw|6 years ago
msbarnett|6 years ago
They'd still have leaked all of the insecure hashes of people who never logged in after the change in 2012 -- and that's still not good enough.
Immediate remediation means never keeping toxic hashes on hand, and never having to say to any subset of your customers "Sorry, but your password has been compromised due to our incompetence".