SHA256 generates a longer, 64 characters string
<\/strong>Example: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08<\/li><\/ul>\n\n\n\nLet’s suppose you use a VARCHAR(32) for the MD5 password, you’ll need a VARCHAR(64) to store the new value with SHA256.
You could just change the password field type in your table, but I suggest creating a new field in VARCHAR(64) for now.<\/p>\n\n\n\n
So, if you are using MySQL as your database engine, it should be something like that:
ALTER TABLE myTable ADD new_password VARCHAR(64) NOT NULL AFTER password;<\/code>
In this case, my MD5 password is in the “password” field, and the SHA256 password will be store in the “new_password” field.<\/p>\n\n\n\nObviously, adapt this query with the table and fields names corresponding to your environment.<\/p>\n\n\n\n
<\/span>The slow transition: ask users to change their password<\/span><\/h3>\n\n\n\nOnce the database is ready, the first option is to slowly move from MD5 to SHA256.
As you can’t recover the original passwords from their MD5 hashes, the first idea is to have an intervention from the user, which is the only person to know the original password.<\/strong><\/p>\n\n\n\nYou can either for them to log in, or ask them to change their passwords for security reasons.
When they sign in or change their password, you check the password as usual with the MD5 field, but just after you also store the SHA256 equivalent in the new database field.<\/p>\n\n\n\n
Example:<\/p>\n\n\n\n
- The user fill the login form with <user> and <password><\/li>
- If MD5(<password>) = password field in the database then
- Update the new_password field with SHA256(<password>)<\/li>
- Log in<\/li><\/ul><\/li><\/ul>\n\n\n\n
Then you can either wait for all users to log in, or use the SHA256 field once it’s no longer empty for that specific user.<\/p>\n\n\n\n
The advantage of this method, is that everything is transparent, but it can take a long transition time before all the users are either logged in or disabled. That’s why I think the second option is better in most cases.<\/p>\n\n\n\n
<\/span>The best solution: convert all passwords to SHA256<\/span><\/h3>\n\n\n\nTo migrate from MD5 to SHA256 to store passwords in a database, the best way is to use the two hashing algorithms in succession. You can apply the SHA256 function to the MD5 password and convert all the store password in one query.<\/strong><\/p>\n\n\n\nHere is the exact procedure to follow if you are using PHP and MySQL for example:<\/p>\n\n\n\n
- Put your website or application in maintenance mode<\/strong> for a few minutes<\/li>
- Fill the new password field with a SHA256 string<\/strong>:
UPDATE users SET new_password=SHA2(password,256)
<\/code>We add a SHA256 layer above the MD5 value.<\/li>- Change your website or application to use the new field<\/strong>. For example:
SELECT * FROM users WHERE password=MD5('\".$password.\"')<\/code>
Becomes:
SELECT * FROM users WHERE new_password=SHA2(MD5('\".$password.\"'),256)<\/code><\/li>- Eventually, you can remove the “password” field and rename the “new_password” one to “password”<\/strong>:
ALTER TABLE users DROP password;
ALTER TABLE users CHANGE new_password password VARCHAR(64);<\/code><\/li>- Don’t forget to remove all uses of “new_password” in your application code.<\/li>
- End the maintenance mode \ud83d\ude42<\/li><\/ul>\n\n\n\n
That’s it, with this method, you should have a more secure database instantly, and don’t have to ask anything to your users.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you are still using MD5 to encrypt passwords in a database, it might be a right move to look for a better algorithm. SHA256 should be a good replacement, and the question today is to see how to migrate from MD5 to SHA256. As a general rule, MD5 is a hashing function, not an…<\/p>\n","protected":false},"author":1,"featured_media":334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[14],"tags":[],"taxonomy_info":{"category":[{"value":14,"label":"Security"}]},"featured_image_src_large":["https:\/\/infosecscout.com\/wp-content\/uploads\/2021\/04\/convert-md5-passwords-to-sha256-1024x683.jpg",1024,683,true],"author_info":{"display_name":"Patrick Fromaget","author_link":"https:\/\/infosecscout.com\/about\/"},"comment_info":1,"category_info":[{"term_id":14,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":14,"taxonomy":"category","description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","parent":0,"count":21,"filter":"raw","cat_ID":14,"category_count":21,"category_description":"Check out our easy-to-follow tips and facts in Security Information. Learn how passwords work and more, all explained in a way that's easy to understand.","cat_name":"Security","category_nicename":"security","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330"}],"collection":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":7,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":339,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/posts\/330\/revisions\/339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media\/334"}],"wp:attachment":[{"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecscout.com\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}