Answer the question
In order to leave comments, you need to log in
Answer the question
In order to leave comments, you need to log in
Look according to the rules of the site, what is the official password validity period (if not, then decide on it).
1. Create a new field in the database for the bcrypt password, as well as the date the password was changed.
2. Make an authorization using both md5 and bcrypt if the latter is specified.
3. Develop an alert system for users whose password has expired.
4. Set the password date to be the same as the user registration date if you haven't used it before.
5. When changing the password, write only bcrypt, do not use md5, it is better to make a flag field that the user has already changed the password using the new technology.
There will be a gradual transition to the new hash over a couple of periods of password expiration.
Active users will have to be somehow stimulated to change their password.
Inactive ones will recover the password, for example, by email, if they return to your resource and you decide someday to no longer support the md5 hash.
PS: Forcing the user to change the password is not the best option. Replace the password hash with the new algorithm as soon as you get the original password from the user that is valid with the old algorithm, for example, during the authorization process.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question