I have a large database where passwords are stored as
strtolower(hex(md5(pass))) (which is a bad way to store passwords, prone to rainbow tables, cheap to dictionary attack, no salt, etc), and I’m tasked with switching from md5 to bcrypt,
I have to use a bcrypt implementation that silently truncates after 72 bytes, and silently truncates on the first null byte (whichever comes first), and
bcrypt(strtolower(hex(md5(pass)))) would not be prone to either of those issues.
Also it’s possible to retroactively apply bcrypt to existing
strtolower(hex(md5(pass))) password hashes, without requiring everyone to re-login/switch passwords.
Is it a bad idea? I don’t think so, but still want to hear what security.SE has to say. Maybe there is something important I’m missing.