Can't log in using imported pbkdf2 hashed passwords

Hi!

I’m trying to use a user imported into Auth0, using passwords with hash pbkdf2, the job runs successfully, but I can’t log in using the user imported.

Original values:

Hash (hex) = b32252fcd4ec70df9d951bfea92bd0da39cc360b1a4821eb5af01fea6c1857075ea216b74c03bf68f1149849c358450ccb4575071b53d158c03954174c3ab18e

Salt = 50e04e8c45254453dc098782fb51543e

file.json

[   
    {
        "email": "fakeemail@gmail.com",
        "email_verified": true,
        "name": "Test user",
        "custom_password_hash": {
           "algorithm": "pbkdf2",
            "hash": {
                 "value":"$pbkdf2-sha512$i=1000,l=64$NTBlMDRlOGM0NTI1NDQ1M2RjMDk4NzgyZmI1MTU0M2U$YjMyMjUyZmNkNGVjNzBkZjlkOTUxYmZlYTkyYmQwZGEzOWNjMzYwYjFhNDgyMWViNWFmMDFmZWE2YzE4NTcwNzVlYTIxNmI3NGMwM2JmNjhmMTE0OTg0OWMzNTg0NTBjY2I0NTc1MDcxYjUzZDE1OGMwMzk1NDE3NGMzYWIxOGU",
                "encoding": "utf8"
            }
        }
    }

]

error Message

{
  "error": {
    "message": "Password change required.",
    "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'pbkdf2','hash':{'value':'$pbkdf2-sha512$i=1000,l=64$UOBOjEU...','encoding':'utf8'},'salt':{'value':''}}"
  }
}

What am I doing wrong?

`S

Did you follow the PHC format for hash.value mentioned in the pbkdf2 hash import doc?

Here is the link from that doc that describes it:

Yes, i’m using this example:

{
        "email": "cecil@contoso.com",
        "email_verified": false,
        "custom_password_hash": {
            "algorithm": "pbkdf2",
            "hash": {
                "value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"
            }
        }
    }

And this lib to generate the string

But, no success =/

Can you post the code you are using to create the hash.value? I’d like to try it and see if I can get it working.

=)

This is the code to generate hash.value to use in Auth0 process:

const phc = require("@phc/format");

const exportUsers = (users) => {
  users.map((user) => {
    const value = phc.serialize({
      id: "pbkdf2-sha512",
      params: { i: 1000, l: 64 },
      salt: Buffer.from(user.salt),
      hash: Buffer.from(user.password)
    });
    
    console.log(value);
  });
};

to hash the passwords with pbkdf2 :

import crypto from "crypto";
import _ from "lodash";


export async function hashPassword(password, salt) {
  return crypto.pbkdf2Sync(password, salt, 1000, 64, "sha512").toString("hex");
} 

export async function getHashedCredential(credential) {
  const newCredential = credential;

  if (_.hasIn(credential, "password")) {
    const salt = crypto.randomBytes(16).toString("hex");
    const hash = await hashPassword(credential.password, salt);
    newCredential.password = hash;
    newCredential.salt = salt;
  }

  return newCredential;
}

tks

Hi Dan, any news about the code?

s

I spent a bit of time on this and couldn’t get it to work either. These hash imports are fairly delicate because of the range of params that can be manipulated.

A couple of things I noticed:

  • Your example import has an i of 100000, although it looks like you are using 1000 in your hashPassword function. I don’t think this would happen if you used the exportUsers function you provided, but it’s worth noting, I’m not sure how you could’ve come to that example.
"value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"
  • The import requires “encoding”: “utf8” (this should default, so it may not be an issue.)
  • In your exportUsers script you are using
hash: Buffer.from(user.password)

Which has a default encoding of utf8. I think you would want to pass

Buffer.from(user.password, 'hex')

All this said, I tried to make these changes and couldn’t get it to accept the password. I suspect there is an encoding issue somewhere, but can’t seem to figure it out.

I noticed these things to, I changed it on my code from 10000 to 1000, just forgot to replace here, sorry.

I tried to use “hex” parameter in my first attempt, but no effect so I just removed it to test the parameters values and forgot it too =/

Thanks, I’m still trying to make it work.

1 Like

Let us know if you have any success!