I have this website, with a simple CMS, and when users register, their password gets encrypted in MD5.
But since I don't like this encryption, and I was already building my CMS again, I changed the hash as well.
Now, is their a way to change the MD5 in another encryption method, without losing my database users?
You could add 3 new columns in your database where the passwords are kept.
Here you can save the new salts created by the new passwords (if using hashing like phps password_hash), the new hashed password and if this is their first login attempt since the hashing update.
You will need to modify the login script to check if
isRequired is YES. if so pull the old hashed password and old salt otherwise use the new password and new salt.
For all current users, set
isRequired to YES.
On user login, if the
isRequired value is YES redirect the user to a password reset page otherwise continue as normal.
This password reset page is essentially the new register page but modified for current users so they don't have to create new usernames etc depending on how you deal with the data.
When the user resets their password, this will be hashed with the new method and stored in the database as per usual in the 'new' sections and set the
isRequired value to NO..
For new users, make sure the register page put their password into the
newPassword column and makes
Down the line
Eventually when all the
isRequired values are NO you can update your database and coding to remove all old columns that are not in use any more, remove all code related to the MD5 hashing etc.
If some old users still have not changed their passwords you can remove their user and make them re-register. Perhaps send an email to all users saying if you have not updated their password before x day their data will be removed and they will have to re register.