top | item 7245710

(no title)

cmircea | 12 years ago

You could just always do a hash using SHA1 then feed that to bcrypt. This way you only have one code path, for all users.

discuss

akerl_|12 years ago

Except that for some people, you only have a SHA1 hash, and for others, you only have an scrypt hash. Since they (I hope) weren't storing the plaintext (pre-hash) passwords alongside the hashed versions, the only time they can change the initial hashing mechanism is when passwords are provided to them during a password change or user login.

ErrantX|12 years ago

Hash all the sha1 passwords with scrypt. Hash all new passwords with sha1 then scrypt.

Your new hash mechanism is sha1 then scrypt.

There is no excuse to do otherwise :)