Technetium wrote:This is probably a stupid idea, but what would prevent them from, say, using a new hash algorithm on top of the old one, re-hash all the existing passwords, and have login run the two hashes in sequence?
So currently it uses what we'll call Hash A.
When a password is input on login, it goes plaintext>Hash A and is checked against the stored password, already converted plaintext>Hash A before storing.
What I'm thinking, is, they convert all the stored passwords with another hash, we'll call it B, and have the login setup hash the passwords twice to match, so it goes plaintext>Hash A>Hash B.
Now, I figure there's very likely some reason why this wouldn't work, so if there is, could someone explain what that reason is?
tl;dr is that doing a hash twice doesn't necessarily make it more secure than doing a hash once.
It's more complicated than that, like it would
sort of make brute forcing a password harder, but you'd still be relying on MD5.
Like the problem isn't necessarily that somebody gets your password. The problem could very well be that somebody gets a seemingly random string of characters that just so happens to hash to the same value as your password.
I would recommend waiting until BMG fixes the issue to change your password on this site, as your new password could still be compromised until BMG fixes the vulnerability.