How to change password hashing form md5 to sha1 without affeting current users?


We currently updated from ojs 2.4.5 to 2.4.8 and then to
In out previous configuration we were using md5 password hashing, we would like to switch to more secure sha1 method.

Is it possible to achieve this without asking old users to update their passwords?

Bonus question:
How does it work?

Password created by ojs 2.4.5 are stored in database as 32 hex numbers, as expected (MD5 being 128bit). But in the new system, choosing either md5 or sha1, passwords are stored as 60 character string. SHA1 being 160bit shouldn’t it be 40 hex digits?

Is “salt” only used for resetting passwords? How is it used? Can I change it anytime to anything without affecting users? Or would it have impact on how users log in?


Hi @Dani,

It’s not possible to batch-convert hashes from one from to another.

The good news is that OJS 2.4.8-1 uses a new suite of encryption functions (when available) and password hashes should be converted to use it as users log in. You should see existing users’ hashes changing to a different form as they log in.

The salt should be some kind of random-ish string that stays with your configuration. This is used to prevent table-style attacks. It’ll need to stay the same once you’ve chosen it.

Alec Smecher
Public Knowledge Project Team

1 Like