An old version of an application has some passwords stored in the clear in its database. I have written an updated version that encrypts the passwords when new entries are made, but I don’t have direct access to the database to manually encrypt the entries that already exist. When the update goes live, it will try to decrypt the plaintext passwords, and crash.

Short of doing something drastic like deleting all the existing data, the only other approach I can think of is this (wrapper pseudocode called when the password data is used.):

# data refers to the password data, either encrypted or plain
if data length < AES.block_size:
    # (Shorter than initialization vector, definitely not encrypted.)
    open database and replace password entry with encrypt(data)
    login(username, data)
else:
    try: # try plaintext first
        login(username, data)
    except AuthenticationError:
        login(username, decrypt(data))
    else: #plain text worked, encrypt data for future use.
        open database and replace password entry with encrypt(data)

It seems a shame to keep this code around to solve a problem that goes away after it runs once. Is there any other approach that might work to ensure the passwords are encrypted and only decrypt the ones that need it?