In a new post to his site, Rob Allen walks through the process of migrating an older site to use the password hashing functions in PHP instead of the previous custom implementation.
I’ve recently been updating a website that was written a long time ago that has not been touched in a meaningful way in many years. In addition to the actual work I was asked to do, I took the opportunity to update the password hashing routines.
This site is so old that the passwords are stored using MD5 hashes and that’s not really good enough today, so I included updating to bcrypt hashing with password_hash() and password_verify() in my statement of work.
I’ve done this process before, but don’t seem to have documented it, so thought I’d write it the steps I took in case it helps anyone else.
He starts off by taking all of the current passwords (not plain-text, already hashed) and migrating them all to their bcrypt-ed version. He then updates the login functionality to select the account by email and check the record's password value with the
password_verify function. Finally, he updates the system to rehash the plain-text password value (received from the user and verified) with bcrypt and save that back to the database and updated the password hashing method on user account creation.