In a new post to her site Lorna Mitchell encourages you to upgrade to better passwords by using either the built-in password hashing (since PHP 5.5) or by using the userland implementation (that works for >=PHP 5.3.7).
The password features in PHP aren't exactly new, but I see lots of applications from "before" which aren't being migrated to better practices. I have some strategies for doing these migrations so I thought I'd share my main approach, plus a similar-but-different one I saw in the wild (OK it was in CakePHP, so not too wild!).
She offers a few steps to follow to upgrade your application to use the bcrypt solution instead of your current format:
- Update Login Code (change SQL to just fetch the password, not evaluate it)
- Hash existing passwords
- Update registration code (for new passwords to use the new method)
- Migrate users with old passwords hashes once they've verified their current login
She also mentions alternatives to these approaches including forcing the user to change their password on login.