I have back-end which has password stored with Hashing-A(one way), I want it converted to Hashing-B(one way). I want to remove Hashing-A passwords removed and changed to Hashing-B.
In the back-end I can simply change password to Hashing-B during next login,but real issue is in application,my application sends password by Hashing-A, I can change it but old applications will continue facing the same issue, I cannot simply rollout old application.
Its practically not possible to have any changes in old applications.
What is the best possible way without keeping Hashing-A in my back-end ?
Generally password hashes with strengthening are used to avoid brute forcing or dictionary attack on the database. If an attacker steals the server or database then it will be hard to retrieve the passwords because the salt and iteration count will add an additional level of defence to the strength of the passwords themselves.
It therefore does make sense to add iterations (work factor) and possibly additional salt bytes to the already stored hash values. The only requirement is really that the original hash is not completely broken (i.e. is a cryptographically secure hash) with a large enough output.
What you can do is to add some kind of identifier to the newly changed hash value - a protocol identifier and possible parameters. That way you can change the hash values even online, selecting either direct comparison - in your case - or addition work on the server to perform the B hash.
You cannot crack this because the hashing-A value is not available anymore to the attacker, and there is no way of reversing hashing-B to get to hashing-A. Of course it is and remains of vital importance to keep the password or hashing-A secure while in transport. But you can simply deploy TLS 1.2 to avoid that.