Passwords MD5 encoded without salt. How to fix it?

Question

I have a system where users can signup by Facebook or by a regular form. If user signup by Facebook, my system generates a random password, just to allow user to log-in without Facebook if he wants. If user signup using regular form, he can type any password he wants. In both ways, password are encoded into a MD5 hash, but without salting. It's is insecure, I know, this is the reason i'm here.

I don't know the best strategy to convert the passwords into secure ones... First i'm thinking to keep the MD5 insecure password, and when user log-in, i can match the password without salt, salt-it, and then update the database. But it doesn't solve my problem, because system will still accept the insecure password. Besides that, user can still log-in using facebook, witch do not allow me to update their password (since he didn't used it).

So, have anybody an idea to minimize the impact instead of just force everyone to update the passwords?

Thanks!

Answer 1

So, I've done the following actions to solve my problem.

1. Created a column "LastPasswordChange" in users table.
2. When user changes password, the field is updated with current date, ALSO, an e-mail is sent to user to inform that password was changed, with a link to revert it in case of this is wrong (due to a possible hack).
3. The e-mail allow user to log in and set a new password without knowing the last used.
4. When user log-in using the current password, it looks to the LastPasswordChange field, and if it is null, it allow the login without using the salt.
5. In any way he/she logs in (Facebook or Login/pass), system looks to the LastPasswordChange field, and if it is null, system requires user to change the current password to a different one (not match the old one without salt).

That's it.