Can't log in using imported pbkdf2 hashed passwords

alan.unger · April 27, 2021, 9:35am

Hi!

I’m trying to use a user imported into Auth0, using passwords with hash pbkdf2, the job runs successfully, but I can’t log in using the user imported.

Original values:

Hash (hex) = b32252fcd4ec70df9d951bfea92bd0da39cc360b1a4821eb5af01fea6c1857075ea216b74c03bf68f1149849c358450ccb4575071b53d158c03954174c3ab18e

Salt = 50e04e8c45254453dc098782fb51543e

file.json

[   
    {
        "email": "fakeemail@gmail.com",
        "email_verified": true,
        "name": "Test user",
        "custom_password_hash": {
           "algorithm": "pbkdf2",
            "hash": {
                 "value":"$pbkdf2-sha512$i=1000,l=64$NTBlMDRlOGM0NTI1NDQ1M2RjMDk4NzgyZmI1MTU0M2U$YjMyMjUyZmNkNGVjNzBkZjlkOTUxYmZlYTkyYmQwZGEzOWNjMzYwYjFhNDgyMWViNWFmMDFmZWE2YzE4NTcwNzVlYTIxNmI3NGMwM2JmNjhmMTE0OTg0OWMzNTg0NTBjY2I0NTc1MDcxYjUzZDE1OGMwMzk1NDE3NGMzYWIxOGU",
                "encoding": "utf8"
            }
        }
    }

]

error Message

{
  "error": {
    "message": "Password change required.",
    "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'pbkdf2','hash':{'value':'$pbkdf2-sha512$i=1000,l=64$UOBOjEU...','encoding':'utf8'},'salt':{'value':''}}"
  }
}

What am I doing wrong?

`S

dan.woda · April 27, 2021, 11:05pm

Did you follow the PHC format for hash.value mentioned in the pbkdf2 hash import doc?

Here is the link from that doc that describes it:

github.com

P-H-C/phc-string-format/blob/master/phc-sf-spec.md

# PHC string format

## Example

Given the following inputs:

* Password: `hunter2`
* Salt: ```\x81\x98\x95\xFC\xCD`=\xCD\xB6\x12P\a\xFC\x98u\x1F```
* Secret: `pepper`
* Variant: `argon2id`
* Version: `19`
* Time cost: `2`
* Memory cost: `65536`
* Parallelism cost: `1`

Argon2 will generate the following digest:

`$argon2id$v=19$m=65536,t=2,p=1$gZiV/M1gPc22ElAH/Jh1Hw$CWOrkoo7oJBQ/iyh7uJ0LO2aLEfrHwTWllSAxT0zRno`

## Specification

This file has been truncated. show original

alan.unger · April 28, 2021, 1:25pm

Yes, i’m using this example:

{
        "email": "cecil@contoso.com",
        "email_verified": false,
        "custom_password_hash": {
            "algorithm": "pbkdf2",
            "hash": {
                "value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"
            }
        }
    }

And this lib to generate the string

But, no success =/

dan.woda · April 28, 2021, 3:44pm

Can you post the code you are using to create the hash.value? I’d like to try it and see if I can get it working.

alan.unger · April 29, 2021, 10:53am

=)

This is the code to generate hash.value to use in Auth0 process:

const phc = require("@phc/format");

const exportUsers = (users) => {
  users.map((user) => {
    const value = phc.serialize({
      id: "pbkdf2-sha512",
      params: { i: 1000, l: 64 },
      salt: Buffer.from(user.salt),
      hash: Buffer.from(user.password)
    });
    
    console.log(value);
  });
};

to hash the passwords with pbkdf2 :

import crypto from "crypto";
import _ from "lodash";


export async function hashPassword(password, salt) {
  return crypto.pbkdf2Sync(password, salt, 1000, 64, "sha512").toString("hex");
} 

export async function getHashedCredential(credential) {
  const newCredential = credential;

  if (_.hasIn(credential, "password")) {
    const salt = crypto.randomBytes(16).toString("hex");
    const hash = await hashPassword(credential.password, salt);
    newCredential.password = hash;
    newCredential.salt = salt;
  }

  return newCredential;
}

tks

alan.unger · May 7, 2021, 11:25am

Hi Dan, any news about the code?

s

dan.woda · May 7, 2021, 6:13pm

I spent a bit of time on this and couldn’t get it to work either. These hash imports are fairly delicate because of the range of params that can be manipulated.

A couple of things I noticed:

Your example import has an i of 100000, although it looks like you are using 1000 in your hashPassword function. I don’t think this would happen if you used the exportUsers function you provided, but it’s worth noting, I’m not sure how you could’ve come to that example.

"value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"

The import requires “encoding”: “utf8” (this should default, so it may not be an issue.)
In your exportUsers script you are using

hash: Buffer.from(user.password)

Which has a default encoding of utf8. I think you would want to pass

Buffer.from(user.password, 'hex')

All this said, I tried to make these changes and couldn’t get it to accept the password. I suspect there is an encoding issue somewhere, but can’t seem to figure it out.

alan.unger · May 8, 2021, 3:32am

I noticed these things to, I changed it on my code from 10000 to 1000, just forgot to replace here, sorry.

I tried to use “hex” parameter in my first attempt, but no effect so I just removed it to test the parameters values and forgot it too =/

Thanks, I’m still trying to make it work.

dan.woda · May 11, 2021, 3:49pm

Let us know if you have any success!

system · June 1, 2021, 5:08pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.