[keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?

Wednesday, 27 March 2019

We are migrating an older system with a deprecated password hashing
strategy that we want to bring up to modern standard.

There are a range of options for the migration, including:

1. Reset all user passwords (not ideal!)
2. Rehash after successful login (works, but leaves older hashes in
storage until the long tail of users have all logged in)
3. "Rehash the hashes", ie bulk replace the 'oldhash' values with
newhash(oldhash), with a custom verifier that does the double hash;
then do #2 on login.

I'd like input on strategy #3 – ie is there advice from authoritative
sources confirming that this is a secure strategy? It seems fine to my
layperson's eyeballs, and is surely better than leaving old hash
values in storage for a long time. But I'd like reassurance on it, and
can't find anything other than stray Stack Overflow responses[1, 2] or
blog posts[3] discussing it.

[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes

Any suggestions for an authoritative source on this?
cheers
-Aaron

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?