User blog comment:Rappy 4187/Technical Update: March 8, 2017/@comment-11733175-20170308232857/@comment-11536-20170309135951


 * As bcrypt is a one-way algorithm, as I would hope the current hashing method is, how will users be migrated to the new method?

Hey Cam. :) We took the same approach Wikimedia took for existing hashes. All existing password hashes were first migrated to a wrapped layered format, so the existing hash is re-hashed in bcrypt, marked as a wrapped type, and encrypted. This is so we don't have any old password hashes stored as is given the long tail of accounts that are unlikely to login again. On a successful login, a wrapped hash is converted into the new bcrypt + encrypted format.