0

We want to migrate our userbase from bcrypt to argon2.

I was planning on an approach that migrates all hashes immediately to argon2; "old" users would have an argon2'd hash of their bcrypt hash of their password. New users (and users that logged in) would get updated so their argon2 hash of their password was what was saved.

My problem is: to compare hashes in the legacy case, I have to be able to generate a bcrypt hash first then an argon2 hash. But the bcrypt hash comparison requires information from the password hash itself (salt etc.) to generate a matching value (which can then be hashed with argon2).

If I want to use this approach, do I have any option other than extracting and storing the bcrypt salt somewhere outside the password field?

Joe
  • 103
  • 4
  • I think this might be asked on Information Security. – kelalaka Nov 08 '19 at 18:38
  • I wasn't sure the right place. There's overlap for sure, but this seemed focused enough on "what things do I need to make the algorithm functional"... – Joe Nov 08 '19 at 19:43
  • An old but related answer Convert old and busted password encryption to something sensible – kelalaka Nov 08 '19 at 20:19
  • 1
    Be very sure to bench-test actual performance at scale for either algorithm. If you tune argon2 to be as responsive as bcrypt at speeds .5s/auth or less, it's actual less resistant to attack than bcrypt is, and for speeds between .5s/auth and 1s/auth, they're the same. https://twitter.com/jmgosney/status/1111865772656246786 In other words, it may not be worth the effort for your use case. And if you wrap one slow hash in another slow hash, you're roughly doubling how long users have to wait to authenticate. – Royce Williams Nov 08 '19 at 22:09
  • Sometimes these decisions are non-technical in nature. And the double slow time would be a one-time-per-user thing. But thank you for the link! – Joe Nov 09 '19 at 00:02
  • Ah, it wasn't clear to me that you'd be doing a global password reset. From context, it looked like unless the users initiated a password change, they could be double-hashed indefinitely. – Royce Williams Nov 09 '19 at 01:10

1 Answers1

1

If I want to use this approach, do I have any option other than extracting and storing the bcrypt salt somewhere outside the password field?

No. You need to store the bcrypt parameters (salt and iteration count) and the Argon2 parameters.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223