Why not do both then? 1. bcrypt(SHA1(pass)) right now to secure all pws 2. check... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ricardobeat on June 8, 2012 \| parent \| context \| favorite \| on: Md5crypt is no longer strong enough Why not do both then? `1. bcrypt(SHA1(pass)) right now to secure all pws 2. check against that, then update to bcrypt(pass) on login`

pbreit on June 8, 2012 [–]

That's probably the correct thing to do but since you're unlikely to ever achieve 100% migration, it doesn't help a whole lot.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact