Migrating user account databases


As a part of my work at The Group, I’ve been developing a suite of applications for them. As most web applications do, these applications have to store their user data somewhere – in a database.

As you may guess, the user’s password has been stored as a hash. As a part of some new developments, we are moving our user data into a new table structure, and among that, we are introducing stronger sha1 hashes with salt.

But how do you convert an md5 hash into a sha1 hash?

The issue

To convert md5 into sha1, we would need to know the original password used to make the md5 hash. Now, we might be able to use rainbow tables, but the chances are it may not work with every possible password.

Of course, we can’t email our users “hey can you mail us your password?” – that would not exactly be nice. Another option would be to ask them to register again at our new site, which again would not be that nice.

But if we think about the second alternative again, we might come to a solution…

The solution

When a user logs in to our application, we first check if the user exists in the new database. If they do, that’s fine. If they don’t, we continue and check the old database, and if they are found from the old one, we copy their data into the new one.

The key here is that when the user has just logged in, they have given us their password. This way we can simply use the password given by the user to create a new hash! No need to bug them – it’s all taken care of behind the scenes for them.