Password security – hashing algorithm
It is essential to store passwords in a way that prevents them from being obtained by an attacker even if the application or database is compromised. Hashing is a one-way function appropriate for password validation. Even if the hashed password is obtained, it cannot be used for authorization.
The currently used hashing algorithm – “MD5” may become obsolete in the near future as there are new password hashing algorithms that can be used to meet even higher security requirements.
The currently used hashing algorithm MD5 is replaced by a new generation “bcrypt” algorithm.
The new method will be applied when the new password is set in the following scenarios:
- creating a new user
- I forgot my password workflow
- change my password workflow
- password expired workflow
The password hash algorithm remains the same (MD5) for all existing users unless one of the above scenarios is completed.