{"id":330,"date":"2021-04-16T05:38:43","date_gmt":"2021-04-16T03:38:43","guid":{"rendered":"https:\/\/infosecscout.com\/?p=330"},"modified":"2023-11-22T13:02:22","modified_gmt":"2023-11-22T12:02:22","slug":"convert-md5-to-sha256","status":"publish","type":"post","link":"https:\/\/infosecscout.com\/convert-md5-to-sha256\/","title":{"rendered":"How to Convert MD5 Passwords to SHA256?"},"content":{"rendered":"\n<p>If you are still using MD5 to encrypt passwords in a database, it might be a right move to look for a better algorithm. SHA256 should be a good replacement, and the question today is to see how to migrate from MD5 to SHA256.<\/p>\n\n\n\n<p><strong>As a general rule, MD5 is a hashing function, not an encryption algorithm. It&#8217;s not possible to recover MD5 encrypted passwords to store them with another method. So, there is no way to directly convert MD5 hashs to their SHA256 equivalent.<\/strong><\/p>\n\n\n\n<p>Keep reading, however, as I have some solutions for your problem.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#Reminder_about_the_MD5_algorithm\" title=\"Reminder about the MD5 algorithm\">Reminder about the MD5 algorithm<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#About_the_MD5_function\" title=\"About the MD5 function\">About the MD5 function<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#What_is_the_opposite_function\" title=\"What is the opposite function?\">What is the opposite function?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#How_to_convert_MD5_to_SHA256_in_a_database\" title=\"How to convert MD5 to SHA256 in a database\">How to convert MD5 to SHA256 in a database<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#Adapt_your_database\" title=\"Adapt your database\">Adapt your database<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#The_slow_transition_ask_users_to_change_their_password\" title=\"The slow transition: ask users to change their password\">The slow transition: ask users to change their password<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/infosecscout.com\/convert-md5-to-sha256\/#The_best_solution_convert_all_passwords_to_SHA256\" title=\"The best solution: convert all passwords to SHA256\">The best solution: convert all passwords to SHA256<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Reminder_about_the_MD5_algorithm\"><\/span>Reminder about the MD5 algorithm<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>As you are asking how to convert MD5 hashs to another format, you probably need a quick reminder before anything else.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"About_the_MD5_function\"><\/span>About the MD5 function<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>MD5 stands for &#8220;Message Digest Algorithm 5&#8221;. Many people are confused with the real purpose of the MD5 algorithm, you are not alone.<br><strong>In fact, it&#8217;s not an encryption algorithm, even if many developers use it like this. MD5 is a hashing function.<br><\/strong>The only goal of the MD5 function is to convert almost anything (string, number, files) into a short 32 hexadecimal characters string.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"483\" src=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/md5-encrypt.jpg\" alt=\"\" class=\"wp-image-332\" srcset=\"https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/md5-encrypt.jpg 972w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/md5-encrypt-300x149.jpg 300w, https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/md5-encrypt-768x382.jpg 768w\" sizes=\"(max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<p>Here is an example: If you apply the MD5 function to the word &#8220;MD5Online&#8221;, you&#8217;ll get &#8220;d49019c7a78cdaac54250ac56d0eda8a&#8221;.<br>You can try to hash you own strings with <a rel=\"noreferrer noopener\" href=\"https:\/\/www.md5online.org\/md5-encrypt.html\" target=\"_blank\">this &#8220;encryption&#8221; tool on MD5Online.org<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_opposite_function\"><\/span>What is the opposite function?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>As you want to convert MD5 strings to SHA256 equivalents, the first idea you might have is to recover the original passwords and then use the SHA256 function to generate a new safer password string.<br>Well, it doesn&#8217;t work like that.<\/p>\n\n\n\n<p><strong>There is no reverse function to the MD5 algorithm. It&#8217;s the main difference between an encryption algorithm and a hashing function. With encryption, there is a decryption method available. With hashing, it&#8217;s a one-way process, you can&#8217;t recover the initial input.<\/strong><\/p>\n\n\n\n<p>Even with <a rel=\"noreferrer noopener\" href=\"https:\/\/www.md5online.org\/md5-decrypt.html\" target=\"_blank\">the best tools available to decrypt MD5 hashes<\/a>, you will never get a 100% success rate to recover your passwords. We currently have around 85% success rate, and if you have a large database, it will take a lot of time to even get this result. So, that&#8217;s not the best option.<\/p>\n\n\n\n<p>In the next part, I&#8217;ll introduce some better solutions to secure the passwords in your database.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_convert_MD5_to_SHA256_in_a_database\"><\/span>How to convert MD5 to SHA256 in a database<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Now that&#8217;s the MD5 algorithm is clearer for you, let&#8217;s see how to solve your problem.<br>In fact, I have two solutions for you, depending on your motivations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Adapt_your_database\"><\/span>Adapt your database<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>Whatever the solution you choose after that, the first step will be to male sure your database is ready to use SHA256 passwords.<\/strong><br>MD5 and SHA256 don&#8217;t generate the same data:<\/p>\n\n\n\n<ul><li><strong>MD5 produces a 32 hexadecimal character string<br><\/strong>Example: 098f6bcd4621d373cade4e832627b4f6<\/li><li><strong>SHA256 generates a longer, 64 characters string<br><\/strong>Example: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08<\/li><\/ul>\n\n\n\n<p>Let&#8217;s suppose you use a VARCHAR(32) for the MD5 password, you&#8217;ll need a VARCHAR(64) to store the new value with SHA256.<br>You could just change the password field type in your table, but I suggest creating a new field in VARCHAR(64) for now.<\/p>\n\n\n\n<p>So, if you are using MySQL as your database engine, it should be something like that:<br><code>ALTER TABLE myTable ADD new_password VARCHAR(64) NOT NULL AFTER password;<\/code><br>In this case, my MD5 password is in the &#8220;password&#8221; field, and the SHA256 password will be store in the &#8220;new_password&#8221; field.<\/p>\n\n\n\n<p>Obviously, adapt this query with the table and fields names corresponding to your environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_slow_transition_ask_users_to_change_their_password\"><\/span>The slow transition: ask users to change their password<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Once the database is ready, the first option is to slowly move from MD5 to SHA256.<br><strong>As you can&#8217;t recover the original passwords from their MD5 hashes, the first idea is to have an intervention from the user, which is the only person to know the original password.<\/strong><\/p>\n\n\n\n<p>You can either for them to log in, or ask them to change their passwords for security reasons.<br>When they sign in or change their password, you check the password as usual with the MD5 field, but just after you also store the SHA256 equivalent in the new database field.<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<ul><li>The user fill the login form with &lt;user> and &lt;password><\/li><li>If MD5(&lt;password>) = password field in the database then<ul><li>Update the new_password field with SHA256(&lt;password>)<\/li><li>Log in<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>Then you can either wait for all users to log in, or use the SHA256 field once it&#8217;s no longer empty for that specific user.<\/p>\n\n\n\n<p>The advantage of this method, is that everything is transparent, but it can take a long transition time before all the users are either logged in or disabled. That&#8217;s why I think the second option is better in most cases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_best_solution_convert_all_passwords_to_SHA256\"><\/span>The best solution: convert all passwords to SHA256<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>To migrate from MD5 to SHA256 to store passwords in a database, the best way is to use the two hashing algorithms in succession. You can apply the SHA256 function to the MD5 password and convert all the store password in one query.<\/strong><\/p>\n\n\n\n<p>Here is the exact procedure to follow if you are using PHP and MySQL for example:<\/p>\n\n\n\n<ul><li><strong>Put your website or application in maintenance mode<\/strong> for a few minutes<\/li><li><strong>Fill the new password field with a SHA256 string<\/strong>:<br><code>UPDATE users SET new_password=SHA2(password,256)<br><\/code>We add a SHA256 layer above the MD5 value.<\/li><li><strong>Change your website or application to use the new field<\/strong>. For example:<br><code>SELECT * FROM users WHERE password=MD5('\".$password.\"')<\/code><br>Becomes:<br><code>SELECT * FROM users WHERE new_password=SHA2(MD5('\".$password.\"'),256)<\/code><\/li><li>Eventually, you can <strong>remove the &#8220;password&#8221; field and rename the &#8220;new_password&#8221; one to &#8220;password&#8221;<\/strong>:<br><code>ALTER TABLE users DROP password;<br>ALTER TABLE users CHANGE new_password password VARCHAR(64);<\/code><\/li><li>Don&#8217;t forget to remove all uses of &#8220;new_password&#8221; in your application code.<\/li><li>End the maintenance mode \ud83d\ude42<\/li><\/ul>\n\n\n\n<p>That&#8217;s it, with this method, you should have a more secure database instantly, and don&#8217;t have to ask anything to your users.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are still using MD5 to encrypt passwords in a database, it might be a right move to look for a better algorithm. SHA256 should be a good replacement, and the question today is to see how to migrate from MD5 to SHA256. As a general rule, MD5 is a hashing function, not an&#8230;<\/p>\n","protected":false},"author":1,"featured_media":334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/convert-md5-passwords-to-sha256-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":1,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":7,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330\/revisions\/339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/334"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}