I’m migrating an application from ColdFusion to ASP.Net MVC and have a little problem I cannot seem to get my head around. The original application stores user’s passwords in a MD5 hash format with no salt in the database. I’m using the ASP.Net membership store and would like to allow for as seamless a transition for the existing users as possible. Here’s the possibilities I was thinking of…
1) Since I cannot decrypt the values of their current passwords, I was thinking of storing this old password in a table, checking against it on login… if it’s not empty and their password matches, I prompt them to update their password, which would then set the password properly in the asp.net membership table and wipe out their old password, never to be checked again.
2) Users login with their email, not their screen name, so I was thinking of resetting everyone’s password to their screen name and forcing them to change it after first login. The only problem is that I’m not sure I can update their password via SQL without the current password. Executing the aspnet_Membership_SetPassword proc doesn’t appear to encrypt the password in its own.
What you say?
I’ve used a variant of #1 in a live application. It worked great, users never noticed the change as far as I was aware.
A couple of refinements:
I would under no circumstances use option 2; it’s wildly insecure.
One other thing — it is possible to set a password without knowing their current one, it just requires two steps.