[keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?
Aaron Harnly
keycloak-user at bulk.harnly.net
Wed Mar 27 11:57:10 EDT 2019
We are migrating an older system with a deprecated password hashing
strategy that we want to bring up to modern standard.
There are a range of options for the migration, including:
1. Reset all user passwords (not ideal!)
2. Rehash after successful login (works, but leaves older hashes in
storage until the long tail of users have all logged in)
3. "Rehash the hashes", ie bulk replace the 'oldhash' values with
newhash(oldhash), with a custom verifier that does the double hash;
then do #2 on login.
I'd like input on strategy #3 – ie is there advice from authoritative
sources confirming that this is a secure strategy? It seems fine to my
layperson's eyeballs, and is surely better than leaving old hash
values in storage for a long time. But I'd like reassurance on it, and
can't find anything other than stray Stack Overflow responses[1, 2] or
blog posts[3] discussing it.
[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes
Any suggestions for an authoritative source on this?
cheers
-Aaron
More information about the keycloak-user
mailing list