Convert Md5 To Yii Password

I have an old application where passwords stored in md5. Now we need to rewrite it on Yii2 and we want to do not ask users to reenter passwords (or click forgot link etc).

So what is the best way to convert existing passwords to Yii 2 passwords?

There is a yii extension called YiiPassword that does exatcly that. I can’t post link to this forum because I don’t have enough posts but you can find it by searching “YiiPassword” on github.

Now, this is for yii (not yii2) so you can either :


[*]Update the extension to yii2

[*]Salvage some bits of the code that you need to get the jobs done

[*]Simply inspire yourself from the code


Good luck.

Thanks, I will try.

Also I think I can do it without extension: when user signs in I can check if his password is md5 and re-encode it.

hi Alex, i have same situation. But i still can’t find a solution.

how do you solved this situation ? and what do you mean by " re-encode " md5 password ?


md5 can’t really be reversed into string password so you have to ask your users about resetting their passwords.

You need to edit your login logic. When user enters his password you first need to try to sign in him using Yii 2 default bcrypt logic.

If password is incorrect, you do the next step - a try to sign in using md5. If this try is successful you need to encode user password using Yii2 default bcrypt algorithm and save it.

After some time all your active users will be migrated to bcrypt. The rest users will still be able to login.

1 Like

force users to change their passwords!

You can do the following:

  1. Have 2 password fields in the user table. One contains old md5 password and other is blank which will hold bcrypt-hashed password. Also another field as "bcrypt_done".

  2. In your login checking function first check if the md5 hash matches with the md5 hash stored in user table, if it matches make the bcrypt hash of the password and store it. Also mark that record "bcrypt_done" and in next login check for bcrypt hash instead for md5 hash for that record.

After process is done for all users what Will you do with two fields?

Best way is to force users to change password or after login with md5 is successful encrypt that user’s password innew way.

Thank you!