Why Do Some Companies Not Upgrade All Their Hash Passwords To Enhanced Versions? Meet Enhanced Entropy

We have the mighty Troy Hunt coming along this week to chat to our students. One thing he outlined from the Have I Been Pwnd? web site, is that quite a few data breaches that he analysed have a mixture of old hashes (eg MD5) and new hashes (eg Bcrypt). This means that when a company moves over to Bcrypt, they do not reset the password methods of the other passwords.

Troy thought this was strange, and it should be possible to convert all the passwords in a single time period, and the MD5 hash can be used as an input to Bcrypt. In this case, Bob’s password is hashed with SHA-384, and then fed into Bcrypt. The input to Bcrypt will thus be a high entropy input, and which will strengthen the hashed version of the password.

The standard BCrypt method supports up to a 56 byte password limits — and which is limited due to the maximum size of the Blowfish key of 448 bits. To support longer passwords it is possible to pre-hash the password with SHA384, by default, in order to increase the…