Password security – hashing algorithm

Context:

It is essential to store passwords in a way that prevents them from being obtained by an attacker even if the application or database is compromised.  Hashing is a one-way function appropriate for password validation. Even if the hashed password is obtained, it cannot be used for authorization.

Problem:

The currently used hashing algorithm – “MD5” may become obsolete in the near future as there are new password hashing algorithms that can be used to meet even higher security requirements.

Solution:

The currently used hashing algorithm MD5 is replaced by a new generation “bcrypt” algorithm.

Limitation:

The new method will be applied when the new password is set in the following scenarios:

  • creating a new user
  • I forgot my password workflow
  • change my password workflow
  • password expired workflow

The password hash algorithm remains the same (MD5) for all existing users unless one of the above scenarios is completed.