Move customer accounts out of system with hashed passwords

I have a system with a couple of thousand customer accounts that I require to move to a new system. The system shops a hashed password, not encrypted or (give thanks to benefits) plain message. Additionally, I do not have the information of the hashing conveniently offered.

What are some reliable means to make the change? One suggestion enters your mind off the top of my head:

  1. Beforehand, I can move all the information. Existing customers in the old system will certainly have an account and also all their information in the new system.
  2. Remove several of the code that presently takes care of verification and also transform it right into a sort of solution that will certainly examine the legitimacy of the username/password.
  3. The new system can first examine it's very own verification to see whether the password has actually been moved. If it hasn't,. it can call the solution on the various other system to establish whether it's legitimate in the old system.
  4. If it's not legitimate, after that it informs the customer their login was incorrect.
  5. If it stands, it currently recognizes the proper password and also can inhabit its very own customer table with the password (according to whatever system that system makes use of).
2019-05-04 18:08:32
Source Share
Answers: 2

I experienced a comparable concern lately other than I really did not have accessibility to the hash algorithm that was being made use of. I assume you have 2 selections.

  1. Relocate every one of the customer accounts over to the new system and also have an added column with their old password hash.
  2. When the customer visit for the very first time your system will certainly see no account exists in the new system yet a hash dates the old system. Your system will certainly maintain a pre-hash duplicate of the password and also examine the hashed variation versus the old hash.
  3. If the old hash matches set the password in the new system to what they sent out in.

Nonetheless, if you locate you do not have accessibility to the hash algorithm and also you have each customers email address you have an additional selection. This is what I did in fact :

  1. Copy over every one of the usernames, e-mail address, and also details from the old to the new system. Place a flag column in the table representing the customer is from the old system.
  2. When the customer logs right into the new system for the very first time, the new system will certainly see that they have an account yet have no password.
  3. Have your system placed a message on the screen claiming something like "We have actually upgraded our website and also your customer account has actually been transformed. You will certainly receive an e-mail quickly with a new short-lived password (see to it the password or unique link benefits just a brief amount of time).
  4. Send the customer a temperature password to your new website that will certainly allow them visit. Once they visit for the very first time have them reset their password to whatever they such as.

The 2nd alternative functioned rather well for me. I had basically no customer issues and also it is reasonably safe and secure because that is the regular procedure for a customer to reset their neglected password.

2019-05-08 02:55:15

Before you go however way too much problem, have you checked into what the hash algorithm could be? If they were rational adequate to make use of hashed passwords, with any luck they were rational adequate to make use of an usual hash algorithm (MD5, SHA1, etc).

Could be rewarding to experiment with a couple of usual alternatives to see if you can reverse-engineer what they were doing.

Additionally, you state "removing several of the code that presently does verification". Just how is it that you have the code, yet not the hash algorithm?

2019-05-08 02:45:04