Tim Starling wrote:
You don't need to store the original passwords in
a recoverable form
in order to rehash them. You can just apply extra hashing to the old
hash. This is how the A->B transition worked, and it's how the B->C
transition should work too, unless someone knows of some kind of
cryptographic problem with it. It's a convenient method because it
saves the cost of underground vaults, with no loss in security.
In that case you could always discard the private portion of the key-pair to
produce a strictly "one-way" function. And at least with this scheme you always
do have the option
of moving to 'C' regardless of whether it can accept the end-products of B as
inputs. Plus I would wager that asymmetric ciphers will stand up to attacks far
longer than most hashing functions.