0

I have a lot of accounts from an older version of a website that I need to migrate to a new version. Passwords are encrypted with bcrypt and I don't know what the salt was, what library, or anything like that. I only have the data from the database. What would be the best way to allow people to still use those accounts? One thought was the first time they try to login, send them an email getting them to update their password. Any other thoughts would be greatly appreciated. Project is running on MEAN stack if that matters.

UPDATE:

Is there a chance that it will just work? I tried an account that I knew the password for, and it seems to just work. Does bcrypt do some magic I am unaware of?

codephobia
  • 1,580
  • 2
  • 17
  • 42
  • I'd probably go down the exact route that you've mentioned...get them to update their passwords. – H2ONOCK Nov 27 '14 at 09:09
  • Why do users need to change password after YOU migrated the website? I presume if you have data(passwords) and the encryption/decryption algo hasnt been changed, why worry? – vmr Nov 27 '14 at 10:30
  • Migrated the user accounts to a new version of the website done in a totally different language. Password are encrypted, so no way to now how they are encrypted. At least, I thought. Imagine these were encypted with a MD5 with a salt that I have no idea what the salt is. – codephobia Nov 27 '14 at 10:34

1 Answers1

0

So reading the following question's answer I learned how bcrypt works and since I am using the same algorithm ie. "2a" and the same power ie. "10" it just works since the salt is stored in the data. I also got two of the passwords for the accounts, and tested them. They both worked perfectly.

How can bcrypt have built-in salts?

Community
  • 1
  • 1
codephobia
  • 1,580
  • 2
  • 17
  • 42