2. PHPRunner General questions
  3. [SOLVED] How to switch from DES encryption to BCRYPT hashing for passwords
This topic is locked
[SOLVED]

How to switch from DES encryption to BCRYPT hashing for passwords

 		2/14/2025 4:27:56 PM
PHPRunner General questions
B
 bioman author

Hi,
I'm trying to switch from my current password encryption with DES which I hear is not very secure, to BCRYPT hashing. Users can currently log in with the encrypted DES passwords. I'd like to switch all of these to BCRYPT hashed passwords and still have people be able to login. It seems that the DES encrypted passwords are using a 16 byte key instead of an 8 byte key so I'm not sure how to decrypt them. I only want to decrypt them so that I can store them as hashed passwords, and then delete the decrypted versions.

Does anyone know how best to do this? I'd prefer to not require users to re-register, but I'm considering that option if I can't make the passwords hashed with BCRYPT.

Thanks,
Brett
Admin 2/14/2025

Users definitely do not need to register. Normally, when you switch from one hashing option to another you can switch to BCRYPT and tell users to reset their passwords. You can send an email to all users and you can also write down this info on the login page.

In your specific case you might be able to avoid all the nuisance though.

  1. Make a backup of your database and project
  2. Export your existing users table data to CSV file. This will give you unencrypted passwords in CSV file.
  3. Make sure that password field is at least 72 characters long, 100 characters is better.
  4. Make changes to the project to support BCRYPT for password hashing and turn off DES encryption for this field. Upload the project.
  5. Delete all the data in the login table.
  6. Upload CSV file t the login table.
  7. Write and run PHP script that would convert all existing plain text passwords to BCRYPT. Make sure that you test it on a different test database first. Also make sure that it doesn't try to hash the passwords that were hashed already. You can use password_hash() function in PHP to create BCRYPT hash:
    https://www.php.net/manual/en/function.password-hash.php
B
 		bioman author 2/14/2025

Thanks for the information, but I'm a bit confused. I don't have plain text passwords stored in the database. Are you saying that PHPRunner will decrypt the encrypted passwords automatically if I export as csv?
B
 		bioman author 2/14/2025

Nevermind, I see that now. Thanks!
B
 		bioman author 2/15/2025

Thanks, that worked well!