Converting passwords to MD5 without downtime

From: David Smith <davidsmith633_at_hotmail.com>
Date: 27 Apr 2002 05:02:35 -0700
Message-ID: <d54a9dfe.0204270402.53156cf0_at_posting.google.com>


Hello,

I'm quite new to Oracle, and I've found a problem that seems like it could have several solutions. I wonder if you people can help me:

I have a live Oracle 8 database for a web site with around four million registered users. The passwords are currently stored unencrypted in the database (it wasn't me that set it up!), but they should really be stored as an MD5 checksum. (I don't know if Oracle has an MD5 function or whether I will need to connect in from Java to do this?)

The problem is how to best manage this transition from unencrypted passwords to checksums. There is no logic in the database (not even primary and foreign keys), everything is handled with JSPs and Java.

Ideally there should be no downtime on the system whilst the change takes place.

My thoughts are as follows, although there is perhaps a better way:

  1. Modify the Java logic to accept either a clear or MD5 password from Oracle, then do the database conversion, then change the Java logic again to only accept MD5. The danger here is that changing logic on a live server is potentially dangerous, so two changes is not ideal and could introduce error.
  2. Somehow replicate the table containing the user data, perform the MD5 operation on all the rows in the replicated table, then change the application to refer to the new table. Perhaps something in Oracle would let me do this without having to change the application at all?

Any thoughts on this problem would be appreciated. I am using Oracle 8, but it would be nice to know about any new features in Oracle 9i that make this easier.

Thanks. Received on Sat Apr 27 2002 - 14:02:35 CEST

Original text of this message