Re: Converting passwords to MD5 without downtime

From: Rick Wessman <Rick.WessmanNO_SPAM_at_oracle.com>
Date: 27 Apr 2002 06:34:08 -0700
Message-ID: <aae9cg02me8_at_drn.newsguy.com>


I don't know the exact version of your database, but as of 8i, an MD5 function was provided by the DBMS_OBFUSCATION_TOOLKIT package.

IMO, MD5, while better than unencrypted, is not very secure. I would go with DES or triple DES (also provided in the package).

                                   Rick

In article <d54a9dfe.0204270402.53156cf0_at_posting.google.com>, davidsmith633_at_hotmail.com says...
>
>Hello,
>
>I'm quite new to Oracle, and I've found a problem that seems like it
>could have several solutions. I wonder if you people can help me:
>
>I have a live Oracle 8 database for a web site with around four
>million registered users. The passwords are currently stored
>unencrypted in the database (it wasn't me that set it up!), but they
>should really be stored as an MD5 checksum. (I don't know if Oracle
>has an MD5 function or whether I will need to connect in from Java to
>do this?)
>
>The problem is how to best manage this transition from unencrypted
>passwords to checksums. There is no logic in the database (not even
>primary and foreign keys), everything is handled with JSPs and Java.
>
>Ideally there should be no downtime on the system whilst the change
>takes place.
>
>My thoughts are as follows, although there is perhaps a better way:
>
>1. Modify the Java logic to accept either a clear or MD5 password from
>Oracle, then do the database conversion, then change the Java logic
>again to only accept MD5. The danger here is that changing logic on a
>live server is potentially dangerous, so two changes is not ideal and
>could introduce error.
>
>2. Somehow replicate the table containing the user data, perform the
>MD5 operation on all the rows in the replicated table, then change the
>application to refer to the new table. Perhaps something in Oracle
>would let me do this without having to change the application at all?
>
>Any thoughts on this problem would be appreciated. I am using Oracle
>8, but it would be nice to know about any new features in Oracle 9i
>that make this easier.
>
>Thanks.

                                Rick Wessman
                                Oracle Corporation

     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.
Received on Sat Apr 27 2002 - 15:34:08 CEST

Original text of this message