0

I just heard that somebody uses MD5 for hashing passwords. I thought about helping them to replace the algorithm to Argon2, but I am not sure which strategy to follow. I thought about 3 possible solutions:

  • hashing the MD5 hash with Argon2 as a quick fix (not sure how secure it would be, because it will inherit the collisions of MD5, but maybe it is good as a temporary solution until we do one of the others)
  • replacing the hashes at login and removing or locking accounts that did not login after a few months
  • sending a mail to everybody that their password is compromised and they should use the password reset link immediately and they should not use their old password on any other website (maybe it makes too much panic)

But this was just naive thinking, maybe you can come up with a much better solution. Is there anything recommended in this scenario?

inf3rno
  • 487
  • 1
  • 7
  • 19
  • 2
    Does this answer your question? [Hash function change](https://security.stackexchange.com/questions/19310/hash-function-change) and [many many many others](https://www.google.com/search?q=site:security.stackexchange.com+upgrade+password+hash) – Steffen Ullrich Jan 11 '20 at 21:07
  • Yes, this looks like the best answer: https://security.stackexchange.com/a/31439/46259 – inf3rno Jan 11 '20 at 23:05

0 Answers0