Sorry, I was trying to point out that you can have it both ways. As pixelcort suggested, do a one-time upgrade of all (weak) hashes to newScheme(oldScheme(password). But then as users login, you can upgrade them to just newScheme(password). No need to force a reset just because people haven't logged in recently.
I'm familiar with Django, and they happen to have some nice docs on both parts of the process: bulk upgrade to stronger scheme by wrapping [1] and individual upgrade on login [2]. But the technique isn't unique to Django.
Alright, I understand now. A bit hard to figure that out from your original comment though, but thank you for clarifying!
I'm curious about using two different algorithms for hashing at the same time would affect entropy. It could be that the original plain-text password has better entropy than the SHA1 hash (if that was your old hashing scheme) of the original password has.
I'm familiar with Django, and they happen to have some nice docs on both parts of the process: bulk upgrade to stronger scheme by wrapping [1] and individual upgrade on login [2]. But the technique isn't unique to Django.
[1]: https://docs.djangoproject.com/en/1.10/topics/auth/passwords... [2]: https://docs.djangoproject.com/en/1.10/topics/auth/passwords...