[elbee]

That will work as a way to strengthen the hashes (a few other people pointed that out as well).

My point was that if you have a system which can go straight from SHA2(password) to bcrypt(password) then the system must be storing the plaintext of the password, which would be very bad.

[msbarnett]

> My point was that if you have a system which can go straight from SHA2(password) to bcrypt(password) then the system must be storing the plaintext of the password, which would be very bad.

Yes, I understand that. It's just completely irrelevant to the question of whether or not it's competent practice to store vulnerable hashes indefinitely, awaiting customer log in.

Again, it is not a competent practice. Wrap vulnerable hashes in strong ones immediately; they're a huge liability to leave sitting in your storage even when you don't have evidence that there's a backdoor in your systems that you cannot seem to find.

[eatonphil]

I don't see anything to indicate they are converting directly from sha2 to bcrypt. When the user logs in next, if it matches the sha2 hashed password, insert the bcrypt hashed password in the bcrypt hash password field and use that from now on.