legacy tables & password encryption

[and...@benjamin.dk]

Hello,

I am an app running on rails 3.0.20 which uses its own custom authentication system.  The database is in postgres and I am trying to implement devise 1.5.4. which is the most suitable version for my app. Since the passwords where being stored with Digest::SHA1.hexdigest(string) which is not regress able, I would need to keep the passwords(we have more than 100 000 users and its not suitable for our time constrain to ask every user to redefine their password). The 2 solutions I see here is:

- use my custom password function redefining the one used by devise( doing something look alike this - http://www.markrichman.com/2010/11/22/rails-devise-datamapper-authentication/)

-or before the password been encrypted by devise, use the custom  encrypt function and give the result of that to devise to treat.(having to make all the records go through this process before the code can go live)

I like the second option better because the only problem I see in it is a little overhead on applying one encryption more. the first one brings more customization to the table and uses another encryption that we know not be that secure.and more customization brings more flaws as well.

but my question is what is the best way of implementing the second, and whats your opinion on this? which one is better and easier/faster to implement.

all the best,

Andre

[and...@benjamin.dk]

I have actually decided to go with the first option since the second did not reveal to be as easy as should and the first one is well documented and works.

but to do the first I have to put a setting configuration:

config.apply_schema = false devise

which I am really familiar with what it does and what kind of changes it brings to application! shoudl I be careful on doing some changes to the table/model with this option? what are exactly the consequences of doing so?

thanks for your help in advance,

Andre