One of my websites has a members area where user passwords are stored in the MD5 format. In recent times it has become more and more obvious that MD5 is no longer a secure option.
What in your opinion are the best practices for changing to a more secure form of encryption?
My though is to create a new login script that will first try to log the user in by converting the password to sha(1) then comparing it to the record we have in the db. If that fails, fall back to MD5 and again do a check. If this results in a successful login convert the password provided by user to sha(1) and update the db accordingly.
Is there a preferred option for carrying out this process?