: Migrate user accounts out of system with hashed passwords I have a system with a few thousand user accounts that I need to migrate to a new platform. The system stores a hashed password,
I have a system with a few thousand user accounts that I need to migrate to a new platform. The system stores a hashed password, not encrypted or (thank goodness) plain text. Also, I don't have the details of the hashing readily available.
What are some effective ways to make the transition? One idea comes to mind off the top of my head:
Ahead of time, I can migrate all the
data. Current users in the old
platform will have an account and
all their data in the new platform.
Rip out some of the code that
currently handles authentication and
turn it into a kind of service that
will check the validity of the
username/password.
The new platform
can first check it's own
authentication to see whether the password has been transferred. If it hasn't,
it could call the service on the other platform to determine whether it's valid in the old system.
If it's not valid, then it tells the user their login was wrong.
If it is valid, it now knows the correct password and can populate its own user table with the password (according to whatever scheme that platform uses).
More posts by @Bryan171
2 Comments
Sorted by latest first Latest Oldest Best
Before you go though too much trouble, have you looked into what the hash algorithm might be? If they were sane enough to use hashed passwords, hopefully they were sane enough to use a common hash algorithm (MD5, SHA1, etc).
Might be worthwhile to try out a few common options to see if you can reverse-engineer what they were doing.
Also, you mention "ripping out some of the code that currently does authentication". How is it that you have the code, but not the hash algorithm?
I went through a similar issue recently except I didn't have access to the hash algorithm that was being used. I think you have 2 choices.
Move all of the user profiles over
to the new system and have an extra
column with their old password hash.
When the user logs in for the first time your system will see no account exists in the new system but a hash exists from the old system. Your system will keep a pre-hash copy of the password and check the hashed version against the old hash.
If the old hash matches set the password in the new system to what they sent in.
However, if you find you don't have access to the hash algorithm and you have each users email address you have another choice. This is what I did actually:
Copy over all of the usernames, email address, and info from the old to the new system. Put a flag column in the table denoting the user is from the old system.
When the user logs into the new system for the first time, the new system will see that they have an account but have no password.
Have your system put a message on the screen saying something like "We have updated our website and your user account has been converted. You will receive an email shortly with a new temporary password(make sure the password or special link works for only a short period of time).
Send the user a temp password to your new site that will let them log in. Once they log in for the first time have them reset their password to whatever they like.
The second option worked pretty well for me. I had virtually no user complaints and it is relatively secure since that is the normal process for a user to reset their forgotten password.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.