将旧的 md5 密码迁移到 bcrypt 密码 [英] Migrate old md5 passwords to bcrypt passwords

问题描述

我正在使用 Devise 进行身份验证在 Rails 中重新设计一个网站.以前的网站使用具有 md5 密码的用户数据库，因此我想将此密码迁移到 Devise 使用的加密.我该如何解决?

I'm reworking a website in Rails using Devise for authentication. The previous website works with a database of users with md5 passwords, and therefore I want to migrate this passwords to the encryption that Devise using. How do I solve it?

推荐答案

Oleksi 和 josnidhin 在回答您的问题方面做得很好.我只是想添加一些想法在过渡阶段要做什么:

Oleksi and josnidhin did a great job at answering your question. I just wanted to add some ideas what to do during the transition phase:

将数据库迁移到具有两个密码哈希"列，一个包含现有的旧 MD5 哈希，另一个用于新的 bcrypt 哈希，最初全部填充为 NULL.下次用户登录时，您可以执行以下步骤:

Migrate the DB towards having two "password hash" columns, one containing the existing old MD5 hashes, and another one for the new bcrypt hashes, initially all filled with NULL. The next time a user logs in, you do these steps:

1) 检查 bcrypt 列中是否已经存在值.如果是，继续3.，否则继续2.

1) Check if there's already a value in the bcrypt column. If so continue with 3., otherwise with 2.

2) 使用旧的 MD5 机制使用 MD5 列中的值对用户进行身份验证.如果成功，另外计算新的 bcrypt 哈希并将其存储在新列中.完毕.

2) Authenticate the user with the old MD5 mechanism using the value from the MD5 column. If successful, additionally compute the new bcrypt hash and store it in the new column. Done.

3) 使用 brypt 值验证用户.只需忽略 MD5 值.

3) Authenticate the user using the brypt value. Simply ignore the MD5 value.

然后时不时的检查一下新的bcrypt列是否被填满.如果是这样，请放弃 MD5 列并更新您的应用以仅使用新机制.

Then from time to time, check whether the new bcrypt column is filled. If so, discard the MD5 column and update your app to only use the new mechanism.

但那是一厢情愿，总有一些用户在此期间没有登录.给他们发一封邮件，告诉他们你在做什么，这是对他们最好的，并请他们尽快登录.

But that's wishful thinking, there are always some users that haven't logged in in the meantime. Send them a mail telling them what you are doing, that it's for their best and ask them kindly to log in soon.

几周后，再次检查 bcrypt 状态.如果仍然缺少一些密码(会有 :))，您可以做的是重置这些用户的密码，随机生成一个并通过邮件通知他们，就像他们忘记密码时所做的一样.

After a couple of weeks, check the bcrypt status again. If there's still some passwords missing (there will be :)), what you could do is to just reset the passwords of these users, generate a random one and informing them via mail, much like what you would do if they forgot their passwords.

然后，您最终可以清除 MD5 列，丢弃相应的代码并将您的应用升级为仅使用新的身份验证.

Then, you can finally purge the MD5 column, discard the corresponding code and upgrade your app to only use the new authentication.

这篇关于将旧的 md5 密码迁移到 bcrypt 密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！