Search code examples
ruby-on-railssha1bcryptbcrypt-ruby

Migrate SHA1 Salted Hashes To Be Encrypted by Bcrypt


I have an old application (built on .Net C#) includes Users table with hashed passwords sha1(password . salt), and I need to migrate this data safely to my new Rails application (which already encrypting passwords using bcrypt-ruby gem) and looking for the best solution for this issue but with avoiding the following kind of solutions:

  1. Reset all current users' passwords and Force them to proceed 'Forget password' procedure
  2. Use any kind of plain text password (even temporarily while user login for first time into my new application for example).
  3. Use SHA1 same encryption procedure in Rails app also (I need to use BCrypt instead).

I think that the best approach (as I've read) is to let users log into my new app using their old passwords (and I don't know how to do it) and then encrypt their passwords (by BCrypt) and follow the same procedure of newly registered users' password encryption in Rails app.

I appreciate all suggested solutions to solve this issue.


Solution

  • You're on the right track. You need to...

    • Add a sha1_password field to your Users table in the Rails app.
    • Modify the authentication to...
      • Check their bcrypt password if it's present.
      • Check sha1_password if their new bcrypt password field is blank.
      • If there's a match, you know they are migrating, and you have their plain text password as well.
      • Set their crypt password field.
    • The end.

    This will allow your users to migrate over time. Then at some point you decide you're going to make the rest go the 'reset password' route or at least start annoying them with email and eventually cut over to bcrypt completely.