Menu
I've got a rails 3 production app that uses devise to deal with authentication. I'd like to change to using bcrypt instead of sha on the app but I can't find any resources that explain the process of migrating from one to the other. I am assuming that you will need to have some sort of fallback in place to handle the fact that the passwords at the moment are salted a certain way with sha...
Anyone done this before?! Any tips, tutorials, walk-throughs, etc?!
606
The problems present in traditional UNIX password hashes led naturally to a new password scheme which we call bcrypt, referring to the Blowfish encryption algorithm. Bcrypt uses a 128-bit salt and encrypts a 192-bit magic value.
If you're using Rails to build your application, you can use Devise, a gem which is designed to make authentication easy. Fortunately, Devise has been used in production applications for years. It's known to be secure.
I don't think there is a solution you would like. I only know of two options -
reset all user passwords and email them telling them this has been done (and preferably why so they don't freak out)
as every user logs in, check against the old hash system you had, if it validates, create a new bcrypt hash in a new column and then remove the old, less secure hash and begin a slow migration that way.
The mathemtical power needed to create a rainbow table to move over everyone just isn't likely.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
