I have an existing database with about 1.6 million users in it. Currently the passwords are stored as salted SHA1, I'd like to upgrade them all to salted SHA256.
The approach I've taken so far if to migrate each user as they login, essentially validate their password against the old hash and if it matches create a new stronger hash. This works fine, but it's a slow process.
As far as I can see there is no easy way to shortcut this process. Is there a better way?
Unless you stored the original plaintext passwords somewhere, you cannot "upgrade" hashes. The text that got hashed is destroyed, and you can't simply "un-sh1" to get it back. Your method is probably the only practical method, unless you want to bulk-generate new sha256-based pws for your users and email them the new one.
What you describe is an appropriate and legitimate method of migrating users from a weaker/older hash algorithm to a stronger/newer hash algorithm. I have successfully implemented this technique in multiple situations. Trying to migrate everyone at once is a horrible UX idea and then you run into the problem of needing to mail out passwords, which is a bad idea for multiple reasons, both security and UX.
I would suggest that since you are undertaking such an effort now, that you consider using a different algorithm than salted SHA-256. Salted SHA-512 offers a higher level of security, and implementing a scheme where you stretch the hash is even better (do some high number of iterations of SHA-512 - starting with the password+salt of course). Or, you can take advantage of an algorithm already specifically designed for password hashing such as bcrypt, scrypt, or PBKDF2.