I would use bcrypt as the new hash. Otherwise, your solution of "wrapping" the old hashes should be secure, given that you use a good salt for for bcrypt. I've seen this solution work well a few times when systems want to upgrade how they hash their passwords.
2 of 2
replaced http://security.stackexchange.com/ with https://security.stackexchange.com/
Oleksi
- 4.9k
- 2
- 22
- 26