Is there a way to convert a MD5
password to something that can be verified by password_verify()
?
I read on the Crypt Wikipedia page that "The printable form of MD5
password hashes starts with $1$
."
Hence I give this a shot (without any luck):
$password = "abcd1234";
$md5hash = "$1$".md5($password);
var_dump(password_verify($password, $md5hash));
Is there any way to make password_verify()
work with MD5
passwords?
Reason for question: I have an old system where the passwords are stored as MD5
hashes. I want to start using the more secure Password Hashing API
. If I'm able to convert the existing password hashes to something that works with password_verify()
, I can just update the database entries (prepend $1$
to all password hashes), and my program would work beautifully using the following code (I don't have to make a special case for the old MD5
passwords):
$password; // Provided by user when trying to log in
$hash; // Loaded from database based on username provided by user
if(password_verify($password, $hash)) {
// The following lines will both update the MD5 passwords
// and all passwords whenever the default hashing algorithm is updated
if(password_needs_rehash($hash, PASSWORD_DEFAULT)) {
$hash = password_hash($password, PASSWORD_DEFAULT);
// Store the new hash in database
}
// User is logged in
} else {
// User is not logged in
}