I'm quite new to Oracle, and I've found a problem that seems like it
could have several solutions. I wonder if you people can help me:
I have a live Oracle 8 database for a web site with around four
million registered users. The passwords are currently stored
unencrypted in the database (it wasn't me that set it up!), but they
should really be stored as an MD5 checksum. (I don't know if Oracle
has an MD5 function or whether I will need to connect in from Java to
do this?)
The problem is how to best manage this transition from unencrypted
passwords to checksums. There is no logic in the database (not even
primary and foreign keys), everything is handled with JSPs and Java.
Ideally there should be no downtime on the system whilst the change
takes place.
My thoughts are as follows, although there is perhaps a better way:
- Modify the Java logic to accept either a clear or MD5 password from
Oracle, then do the database conversion, then change the Java logic
again to only accept MD5. The danger here is that changing logic on a
live server is potentially dangerous, so two changes is not ideal and
could introduce error.
- Somehow replicate the table containing the user data, perform the
MD5 operation on all the rows in the replicated table, then change the
application to refer to the new table. Perhaps something in Oracle
would let me do this without having to change the application at all?
Any thoughts on this problem would be appreciated. I am using Oracle
8, but it would be nice to know about any new features in Oracle 9i
that make this easier.
Thanks.