.. when the user tries to log in, a hash of his password is sent
No. When the user tries to log in, the password is sent (encrypted in transit
, then decrypted (in memory only) to clear text on the server).
Given this, how do you propose the password is re-hashed without having the original password to work from?
At next successful login. Add password expiry functionality (i.e. max 30 days), and we can ensure that all passwords are either
- invalid, or
- re-hashed with increased cost over the next 30 days.
No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them.