My favorite way would be to store password information as a hash chain, so old users can be immediately upgraded to the latest method while new users just use the latest.
For example, Django currently stores its passwords in a single database column as
<algorithm>$<iterations>$<salt>$<hash>
So suppose we generalize that to a chain of one or more hash algorithms, with each output fed in as the password to the next, resulting in a final hash:
<algorithm>$<iterations>$<salt>|<algorithm>$<iterations>$<salt>|$<hash>
For example if you had a user who logged in way back in unsalted md5 days and never logged in again, you might end up with a chain like this:
md5|sha256$<salt>|bcrypt$<iterations>$<salt>|$<hash>
... and then to upgrade to argon you would grab that string, shove the final hash through argon(), and write back:
md5|sha256$<salt>|bcrypt$<iterations>$<salt>|argon$<iterations>$<salt>|$<hash>
For new users, or if the old user finally came back and logged in with their correct password, you could then take the opportunity to write back a simplified version:
argon$<iterations>$<salt>|$<hash>
Iterations could be calibrated differently depending on the chain, if the earlier steps take enough time to matter.
As far as I can tell this is the best possible service you can offer to the users whose long-ago passwords you're storing, short of deleting their passwords entirely. Throwing away the earlier version and replacing it with the argon-wrapped version can't hurt them, and will almost certainly help.
(Usual caveats apply about not doing things that add complexity if you don't need it.)
FAQs
SHA is a hashing algorithm but by itself is not meant for password storage. Unlike bcrypt, scrypt and argon2, SHA is designed to be fast. It is meant to be used in conjunction with other cryptographic primitives. All those mentioned above are one way hashing algorithms.
Is bcrypt compromised? ›
While bcrypt hashing offers significant protection, it's important to note that it isn't a fail-safe solution against password compromise.
Should you use bcrypt? ›
Can bcrypt hashing prevent password compromise? In short, no. While it offers a way to protect stored passwords from being guessed, HaveIBeenPwned has many examples where bcrypt hashes been exposed via data breaches.
What is bcrypt used for? ›
The bcrypt function is the default password hash algorithm for OpenBSD, and was the default for some Linux distributions such as SUSE Linux. There are implementations of bcrypt in C, C++, C#, Embarcadero Delphi, Elixir, Go, Java, JavaScript, Perl, PHP, Ruby, python and other languages.
Is bcrypt deprecated? ›
bcrypt-nodejs is deprecated and throws a warning on install #8903.
What is the disadvantage of bcrypt? ›
Bcrypt is slower and requires some memory (4 kiB IIRC), so one spends 100ms to check a valid password whereas an attacker needs days / years to crack it because he's slowed down and can't use GPUs efficiently.
Is bcrypt secure in 2024? ›
MD5 reigned supreme for several years but bcrypt was in the lead in 2020, 2021, 2023 and again so far in 2024. Password storage solutions like LastPass, 1Password, and Bitwarden use the hashing approach called PBKDF2 salted with a strong hash alternative to MD5, called SHA-256. Even NIST recommends PBKDF2 SHA-256.
Can I decode bcrypt? ›
How to decrypt an encrypted password in Mendix app set to bcrypt? You cannot do this because: Passwords are hashed, not encrypted. Hashing is one way only, you cannot reverse it.
Is Sha better than bcrypt? ›
So while SHA256 is more suitable for applications that require frequent interaction, bcrypt is a better solution for safely storing passwords.
What are the weaknesses of bcrypt? ›
bcrypt: Still considered secure, but potentially vulnerable to FPGA attacks. Its fixed memory usage (4KB) is a limitation compared to more modern algorithms.
Bcrypt uses a cost parameter that specify the number of cycles to use in the algorithm. Increasing this number the algorithm will spend more time to generate the hash output. The cost parameter is represented by an integer value between 4 to 31.
Is bcrypt.js safe? ›
Security – BcryptJS implements the Bcrypt algorithm, a slow algorithm(which in hashing is a good thing) and requires intense computational power. This makes it a rigorous task for attackers to crack the password hash, ensuring the safety of passwords even in case of a data breach.
Is Scrypt better than bcrypt? ›
Bcrypt is more secure but is more resource-intensive. Scrypt is the most secure but is also the most resource-intensive. When it comes to security, it is essential to choose the most secure algorithm for your system.
What is the magic value of bcrypt? ›
Bcrypt uses a 128-bit salt and encrypts a 192-bit magic value.
Does bcrypt need Python? ›
py-bcrypt requires Python 2.4. Older versions may work, but the bcrypt. gensalt() method won't - it requires the cryptographic random number generator os.
What is the fastest secure hash algorithm? ›
xxHash is an Extremely fast Hash algorithm, running at RAM speed limits. It successfully completes the SMHasher test suite which evaluates collision, dispersion and randomness qualities of hash functions.
Is SHA faster than bcrypt? ›
The main difference between bcrypt and SHA256 is that bcrypt is created to calculate the hash as slowly as possible without hindering users, whereas SHA256 is designed to be computationally fast.
What is the fastest encryption algorithm? ›
Elliptic Curve Cryptography (ECC)
ECC, favored by agencies including NSA, is a fast and powerful form of data encryption employed as a component of the SSL/TLS protocol. It utilizes an entirely different mathematical process that lets it utilize shorter key lengths to increase speed, while offering superior security.
Is Argon2 faster than bcrypt? ›
Argon2 is a great memory-hard password hashing algorithm, which makes it good for offline key derivation. But it requires more time, which, for web applications is less ideal. bcrypt can deliver hashing times under 1 second long, but does not include parameters like threads, CPU, or memory hardness.
