Home/ Questions/Q 7024341
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:49:39+00:00

I’m updating a database hashing algorithm. My current system runs on md5 and I

  • 0

I’m updating a database hashing algorithm.

My current system runs on md5 and I want to change it into BCrypt +salt.

My problem is when an old user(users whos password hashed in md5) is login with his old password I want to automatically change the password to BCrypt+salt in database.

       if // check if the password stored in bcrypt
        salt = IDA::Config.get_configuration('salt')
        hash_password = BCrypt::Password.new(hash)
         return (BCrypt::Password.create(salt['salt_value']+password) == (salt['salt_value']+password)) ? true : false

      else // for users who's password encrypted in md5.

        salt = IDA::Config.get_configuration('salt') // i"m getting a salt here 
         BCrypt::Password.create(salt['salt_value']+password) // Im getting a salted bcryptted password  and I tried to put this into db manually and try to login it works perfectly
          // I want to write this new salted password into db once the user is authenticated with his old password
        return (Digest::MD5.hexdigest(password) == hash) ? true : false

I want to write this in model.Any help will be greatly appreciated.
Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First off, BCrypt (both the library and the gem) handles salt so you can nix all of the salt business.

    Second what you really want is a way of re-hashing all of your records sensitive data (passwords I assume). So here’s what you do:

    1. Add a field to the model, something like “is_bcrypt?” and boolean.
    2. Write and run this:
    # First we need to make sure the bcrypt library is there
require 'bcrypt'

# Gather all of the records
records = YourModel.all

# Go over each of the records
records.each do |record|
  # Check to see if the record has a bcrypt'ed password
  unless record.is_bcrypt?
    # If it doesn't take the value of password, unhash it, rehash it
    record.password = BCrypt::Password.create Digest::MD5.hexdigest password

    # If it saves correctly, mark the thing as being rehashed
    record.is_bcrypt = true if record.save
  end
end

    See comments for details. The new field is_bcrypt is just so you can know which records have been hashed and which haven’t. It only happens if they actually save too.

    When this is done, and you’re sure all the code concerning passwords is refactored you can take out that field.

    • 0