Originally Posted by Plan9
As far as I know, MD5 has never been considered secure. SHA1 has been around since the dawn of the web and security researchers have been voicing the evils of MD5 for at least 10 years already. There really isn't any excuse in my opinion.
There's quite a simple method in my opinion, have a password2 column and in code, check if that column is empty for the user logging in; if so, fall back to the old password hash for verification then save the new hash (if user logged in successfully) in password2 and delete out the old hash. So over the course of a few months, users effectively migrate themselves over to the new hashes - but it's all done transparently to them.
Granted on a real busy site, you're creating a little additional overhead for the first time users log in. But it's only a 1 time hit per user and the end result is zero downtime.
in all the classes i took back in the day, when it came to login systems, MD5 + a salt was considered, "adequately secure". I haven't used it myself when i do custom jobs in about 10 years. I do use it for other things, such as file naming when uploading photos or files, that way to prevent filename clashes, or as a suffix of a filename in a secure location, to prevent "guessing" the name of it.
yeah the script was done exactly like that, it is how i do it myself as well. it just was failing about 25% of the time, might've been due to overhead. the system admin said the server was under more strain than normal, but nothing that it couldn't handle. It would at times generate the new password, but not delete the old one from the second column. other times it would delete the old one, create the new one but used the md5+salt hash as the password. other times it just seem to generate one randomly.
when they would use the password reset form, it would generate the new password for them, but not the hash, and that code was sound. as it was one i had used dozen of times from a working site. It could've been a configuration problem with the server itself, but nothing stood out, and there was a half dozen eyes on this thing, searching for the problem, as it was costing the customer a great deal of money trying to figure out.
I've seen it a lot tho, my own code has done it, i've seen conversion scripts from one to another, developed by the company in question do it as well. it is annoying, but it needs to be done. the faster the better.