A former developer used the PHP hash() function with the SHA256 algorithm to store password hashes. To improve the security of the system, I'd like to start using crypt() with the Blowfish algorithm (unfortunately we don't have PHP 5.5 and thus password_hash() is not available).
Since SHA256 is a non-reversible hashing algorithm, is there a way to start using crypt() with the salted passwords without asking everyone to reset their password?
You should use the compatibility library then. It will make it easier for you when you move to 5.5.
Re-hashing without asking the user for the password... well, you can wait until the next time users log in, and then use the password extension's password_verify() function. If it fails then you can fall back on the old SHA256 hash. If the SHA256 hash matches then you can rehash the password using password_hash() and save it in the old hash's place:
if (password_verify($password, $hash)) {
// Matches...
} elseif (hash('sha256', $password) == $hash) {
// Matches...
$newHash = password_hash($password);
// Save $newHash in the old hash's place
} else {
die('Invalid password...');
}
It is technically possible to crack a lot of the hashes, but there are too many problems with that (you would not get all of them, it is most likely not feasible, it may not even be legal, etc.).