I have bcrypt hash with work factor of 11. I want it increase it to 12. I don't have the original password.
How do I do that?
Asked
Active
Viewed 219 times
0
Hristo Kolev
- 1,486
- 1
- 16
- 33
-
Increasing work factor means getting a different hash. You need the original password and rehash with the new factor. – Alejandro Aug 29 '20 at 16:58
-
Why do I need the original password, just have a hash with work factor of 11 and get it the rest of the way to 12. This is how it should work in theory. Am I missing something? – Hristo Kolev Aug 29 '20 at 16:59
-
Because bcrypt requires the password for hashing. You could hash again taking the current hash as the "password", but I doubt of the security of such setup. Have a look here for more details: https://crypto.stackexchange.com/a/3021 – Alejandro Aug 29 '20 at 17:08
-
Open that link, read the first answer=>first paragraph - this is what I want. "Rehash all passwords immediately, continue the same hash" – Hristo Kolev Aug 29 '20 at 17:17
-
Read not just the title, but also the rest, including the link to the details for BCrypt, where you can find why you simply can't. You can just hash with a trivial function like MD5 (that should never be used for passwords anyway), but for real password hashing functions it depends on how the function is implemented, and for the particular case of BCrypt, the answer is "you can't". – Alejandro Aug 29 '20 at 17:23
-
Probably you can migrate the hashes at the next login (whenever it happens), when you know you have the valid plaintext, and hash again with the new work factor. But without the original password, you can only "concatenate" hashes, which I doubt are a good idea. – Alejandro Aug 29 '20 at 17:24
-
Well, that's on me, didn't see that link. Sorry. Post it as a answer and I will accept it. – Hristo Kolev Aug 29 '20 at 17:26
-
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/220671/discussion-between-hristo-kolev-and-alejandro). – Hristo Kolev Aug 29 '20 at 17:51