将旧的md5密码迁移到bcrypt密码 [英] Migrate old md5 passwords to bcrypt passwords
问题描述
Oleksi和josnidhin在回答你的问题上做得很好。我只想在过渡阶段添加一些想法:
将数据库迁移到具有两个密码哈希列,一列包含现有的旧MD5散列,另一个用于新的bcrypt哈希,最初都填满了NULL。下次用户登录时,请执行以下步骤:
1)检查bcrypt列中是否已有值。如果继续3.,否则为2。
2)使用MD5列中的值对具有旧MD5机制的用户进行身份验证。如果成功,另外计算新的bcrypt哈希并将其存储在新列中。完成。
3)使用brypt值验证用户。只需忽略MD5值。
然后不时检查是否填写了新的bcrypt列。如果是这样,请丢弃MD5列并更新您的应用程序,只使用新的机制。
但是这是一厢情愿的想法,总是有一些用户还没有登录与此同时。向他们发送一封邮件,告诉他们你正在做什么,这是最好的,并请他们尽快登录。
几周后,检查bcrypt状态再次。如果仍然有一些密码丢失(将会有:)),您可以做的只是重置这些用户的密码,生成一个随机的密码,并通过邮件通知他们,就像忘记密码一样,会做什么。
然后,您可以终止清除MD5列,丢弃相应的代码,并升级您的应用程序,只使用新的身份验证。
I'm reworking a website in Rails using Devise for authentication. The previous website works with a database of users with md5 passwords, and therefore I want to migrate this passwords to the encryption that Devise using. How do I solve it?
Oleksi and josnidhin did a great job at answering your question. I just wanted to add some ideas what to do during the transition phase:
Migrate the DB towards having two "password hash" columns, one containing the existing old MD5 hashes, and another one for the new bcrypt hashes, initially all filled with NULL. The next time a user logs in, you do these steps:
1) Check if there's already a value in the bcrypt column. If so continue with 3., otherwise with 2.
2) Authenticate the user with the old MD5 mechanism using the value from the MD5 column. If successful, additionally compute the new bcrypt hash and store it in the new column. Done.
3) Authenticate the user using the brypt value. Simply ignore the MD5 value.
Then from time to time, check whether the new bcrypt column is filled. If so, discard the MD5 column and update your app to only use the new mechanism.
But that's wishful thinking, there are always some users that haven't logged in in the meantime. Send them a mail telling them what you are doing, that it's for their best and ask them kindly to log in soon.
After a couple of weeks, check the bcrypt status again. If there's still some passwords missing (there will be :)), what you could do is to just reset the passwords of these users, generate a random one and informing them via mail, much like what you would do if they forgot their passwords.
Then, you can finally purge the MD5 column, discard the corresponding code and upgrade your app to only use the new authentication.
这篇关于将旧的md5密码迁移到bcrypt密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
