Tim Starling wrote:
You don't need to store the original passwords in a recoverable form in order to rehash them. You can just apply extra hashing to the old hash. This is how the A->B transition worked, and it's how the B->C transition should work too, unless someone knows of some kind of cryptographic problem with it. It's a convenient method because it saves the cost of underground vaults, with no loss in security.
In that case you could always discard the private portion of the key-pair to produce a strictly "one-way" function. And at least with this scheme you always do have the option of moving to 'C' regardless of whether it can accept the end-products of B as inputs. Plus I would wager that asymmetric ciphers will stand up to attacks far longer than most hashing functions.