Timeline for How can I use existing password-sha256, to allow login authorisation?

Current License: CC BY-SA 4.0

9 events

when toggle format	what		by	license	comment
Dec 22, 2020 at 19:52	comment	added	ilkkachu		@Samuel, technically, I suppose what you could do, would be to take the old hashes you have, and use them as the password to be processed with sha-crypt (possibly after encoding them in text, either Base64 or hex). So, hash = shacrypt(salt, hex(sha256(password))) . You'd need some frontend to do the initial hash and encode before calling sha-crypt, of course. The step of taking a raw SHA-256 of the hash shouldn't be an issue, since most human passwords have way less than 256 bits (or even 128 bits) of entropy. However, you *really* should ask on crypto.SE or security.SE before that!
Dec 22, 2020 at 19:46	comment	added	ilkkachu		@Samuel, mm, yes. And it actually says "password" twice, I didn't even realize that. But even if it were just sha512(password + salt), it would only seem to help if the old hash already had a sensible random salt, and there was no issue with padding difference or whatever. But then the md5-crypt and sha-crypt algorithms are just weird and the plain password or at least it's length does seem to appear later in the algorithm, too.
Dec 22, 2020 at 19:18	history	edited	ilkkachu	CC BY-SA 4.0	added 9 characters in body
Dec 22, 2020 at 18:54	history	edited	ilkkachu	CC BY-SA 4.0	added 52 characters in body
Dec 22, 2020 at 18:53	vote	accept	Sfp
Dec 22, 2020 at 18:53	comment	added	Sfp		I think this is correct, I didn't look at that part and I believed only in the first part which didn't say anything about calculating sha512(password + salt + password)
Dec 22, 2020 at 18:46	vote	accept	Sfp
Dec 22, 2020 at 18:48
Dec 22, 2020 at 18:30	vote	accept	Sfp
Dec 22, 2020 at 18:31
Dec 22, 2020 at 18:15	history	answered	ilkkachu	CC BY-SA 4.0