Hacker News new | ask | show | jobs
by nly 4706 days ago
So migrate? Hash the hashes with Bcrypt or PBKDF2.

Bcrypt(MD5(password)) is just as effective as Bcrypt(password) at knocking brute force attempts on the head.
1 comments
finnw 4706 days ago
Unless the Bad Guys already have the MD5 hashes
link
Xylakant 4706 days ago
Then the problem is not "I support an app that uses md5 hashes" any more. Your problem in that case is "all my users accounts were broken."
link
nly 4706 days ago
Right, but you can still perform the migration I suggested and flag accounts for a password reset on next login.
link