Use a migration script to turn your plain-text passwords into MD5-encrypted passwords.
From years of consulting work, I can tell you that although people say their web applications have encrypted passwords, they often do not. Realistically, though, encrypting passwords is just not that difficult to do. Even worse, any site that can send you the exact text of your password when you click the "I forgot my password" link stores a copy of your password in clear text somewhere. Needless to say, this isn't a good thing.
So why are encrypted passwords so important? First, because anyone who gets access to the database through a security hole can get access to the entire system. Second, most people talk about using different passwords on different accounts, but end up using the same, or similar, passwords, simply because it's easier. Getting a password on one machine can mean having access to other, possibly more important accounts. This hack describes how to migrate a table of users and passwords from plain text to MD5 encryptions.
Save the code in Example 6-27 as schema.sql.
Example 6-27. The original schema file
DROP TABLE IF EXISTS users; CREATE TABLE users ( id MEDIUMINT NOT NULL AUTO_INCREMENT, name TEXT, pass TEXT, PRIMARY KEY( id ) );
Save the code in Example 6-28 as users.sql.
Example 6-28. The original nonencoded passwords
INSERT INTO users VALUES ( 0, "jack", "toronto" ); INSERT INTO users VALUES ( 0, "megan", "omaha" );
Save the code in Example ...