I posted this on security forums elsewhere, as I hoped to give administrators an easy clue on how to update an unbreached database of hashed passwords without waiting for the user to login to update the hash to a new algorithm. Maybe others have done this, but I'd never seen it mentioned, so ...
Here's my approach..
I'M IGNORING SALTING FOR SIMPLICITY OF DISCUSSION ONLY.
Presume I had the initial passwords stored as:
Now, to update them I could wait for users to login, OR double hash. Yep, hash the hash. The new algorithm would then become:
or to be precise with salting,
This is an easy way to update existing unbreached databases with new hashing algorithms. It also increases the computation complexity at the same time, and, as an added benefit, create a unique combination of algorithms that can serve to further obfuscate the algorithm used. Later, if I need to change the hash algorithm again, I can continue to add additional hash algorithms, using a third, fourth, fifth, etc.. round of hashing the hash of the password.
It could then later be:
Seamless updating of the database.