Aren't the old passwords vulnerable as long as the Sha1 value is still around? Does it get deleted when converted to 512? Also, any reason you didn't switch to something like bcrypt, scrypt, or PBKDF2? Modern best practices generally recommend one of those, although for a site like Hubski Sha512 is probably good enough with proper salting.
Yes, the old Sha1 is deleted on conversion. Time. I only converted the data, I wasn't in the hashing code. At some point we'll upgrade the encoding to bcrypt or a successor. Time is always against us. We all have full time jobs, and my life in particular has been incredibly busy for the last nine months. Once all the code is converted to Racket, this kind of thing will be much faster. Every Arc change requires painstakingly figuring out what each poorly-documented function and macro does.Aren't the old passwords vulnerable as long as the Sha1 value is still around? Does it get deleted when converted to 512?
any reason you didn't switch to something like bcrypt, scrypt, or PBKDF2?