Can't log in using imported pbkdf2 hashed passwords

alan.unger · April 27, 2021, 9:35am

Hi!

I’m trying to use a user imported into Auth0, using passwords with hash pbkdf2, the job runs successfully, but I can’t log in using the user imported.

Original values:

Hash (hex) = b32252fcd4ec70df9d951bfea92bd0da39cc360b1a4821eb5af01fea6c1857075ea216b74c03bf68f1149849c358450ccb4575071b53d158c03954174c3ab18e

Salt = 50e04e8c45254453dc098782fb51543e

file.json

[   
    {
        "email": "fakeemail@gmail.com",
        "email_verified": true,
        "name": "Test user",
        "custom_password_hash": {
           "algorithm": "pbkdf2",
            "hash": {
                 "value":"$pbkdf2-sha512$i=1000,l=64$NTBlMDRlOGM0NTI1NDQ1M2RjMDk4NzgyZmI1MTU0M2U$YjMyMjUyZmNkNGVjNzBkZjlkOTUxYmZlYTkyYmQwZGEzOWNjMzYwYjFhNDgyMWViNWFmMDFmZWE2YzE4NTcwNzVlYTIxNmI3NGMwM2JmNjhmMTE0OTg0OWMzNTg0NTBjY2I0NTc1MDcxYjUzZDE1OGMwMzk1NDE3NGMzYWIxOGU",
                "encoding": "utf8"
            }
        }
    }

]

error Message

{
  "error": {
    "message": "Password change required.",
    "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'pbkdf2','hash':{'value':'$pbkdf2-sha512$i=1000,l=64$UOBOjEU...','encoding':'utf8'},'salt':{'value':''}}"
  }
}

What am I doing wrong?

`S

dan.woda · April 27, 2021, 11:05pm

Did you follow the PHC format for hash.value mentioned in the pbkdf2 hash import doc?

Here is the link from that doc that describes it:

github.com

P-H-C/phc-string-format/blob/master/phc-sf-spec.md

# PHC string format

## Example

Given the following inputs:

* Password: `hunter2`
* Salt: ```\x81\x98\x95\xFC\xCD`=\xCD\xB6\x12P\a\xFC\x98u\x1F```
* Secret: `pepper`
* Variant: `argon2id`
* Version: `19`
* Time cost: `2`
* Memory cost: `65536`
* Parallelism cost: `1`

Argon2 will generate the following digest:

`$argon2id$v=19$m=65536,t=2,p=1$gZiV/M1gPc22ElAH/Jh1Hw$CWOrkoo7oJBQ/iyh7uJ0LO2aLEfrHwTWllSAxT0zRno`

## Specification

This file has been truncated. show original

alan.unger · April 28, 2021, 1:25pm

Yes, i’m using this example:

{
        "email": "cecil@contoso.com",
        "email_verified": false,
        "custom_password_hash": {
            "algorithm": "pbkdf2",
            "hash": {
                "value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"
            }
        }
    }

And this lib to generate the string

But, no success =/

dan.woda · April 28, 2021, 3:44pm

Can you post the code you are using to create the hash.value? I’d like to try it and see if I can get it working.

alan.unger · April 29, 2021, 10:53am

=)

This is the code to generate hash.value to use in Auth0 process:

const phc = require("@phc/format");

const exportUsers = (users) => {
  users.map((user) => {
    const value = phc.serialize({
      id: "pbkdf2-sha512",
      params: { i: 1000, l: 64 },
      salt: Buffer.from(user.salt),
      hash: Buffer.from(user.password)
    });
    
    console.log(value);
  });
};

to hash the passwords with pbkdf2 :

import crypto from "crypto";
import _ from "lodash";


export async function hashPassword(password, salt) {
  return crypto.pbkdf2Sync(password, salt, 1000, 64, "sha512").toString("hex");
} 

export async function getHashedCredential(credential) {
  const newCredential = credential;

  if (_.hasIn(credential, "password")) {
    const salt = crypto.randomBytes(16).toString("hex");
    const hash = await hashPassword(credential.password, salt);
    newCredential.password = hash;
    newCredential.salt = salt;
  }

  return newCredential;
}

tks

alan.unger · May 7, 2021, 11:25am

Hi Dan, any news about the code?

s

dan.woda · May 7, 2021, 6:13pm

I spent a bit of time on this and couldn’t get it to work either. These hash imports are fairly delicate because of the range of params that can be manipulated.

A couple of things I noticed:

Your example import has an i of 100000, although it looks like you are using 1000 in your hashPassword function. I don’t think this would happen if you used the exportUsers function you provided, but it’s worth noting, I’m not sure how you could’ve come to that example.

"value": "$pbkdf2-sha512$i=100000,l=64$KNyFsA2rWoE$I2CQGI9H0JxdDf3kERRI97kPCGxh0KWBIV3MxyaS191gDGfzVBGyS4BibhgqWQ0/ails8mHuU9ckASxHOOq58w"

The import requires “encoding”: “utf8” (this should default, so it may not be an issue.)
In your exportUsers script you are using

hash: Buffer.from(user.password)

Which has a default encoding of utf8. I think you would want to pass

Buffer.from(user.password, 'hex')

All this said, I tried to make these changes and couldn’t get it to accept the password. I suspect there is an encoding issue somewhere, but can’t seem to figure it out.

alan.unger · May 8, 2021, 3:32am

I noticed these things to, I changed it on my code from 10000 to 1000, just forgot to replace here, sorry.

I tried to use “hex” parameter in my first attempt, but no effect so I just removed it to test the parameters values and forgot it too =/

Thanks, I’m still trying to make it work.

dan.woda · May 11, 2021, 3:49pm

Let us know if you have any success!

system · June 1, 2021, 5:08pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import user with custom password hash using pbkdf2 algorithm Help user-management , user-import-export	2	1174	July 17, 2023
"Wrong email or password" after bulk user import Help password-hash , bulk-user-import	7	1767	November 21, 2023
Importing users with pbkdf2 algorithm hashed passwords Knowledge Articles import , password , hash , password-hash , export , fail , pbkdf2	1	1269	June 15, 2023
Migration of users (bulk import) with pbkdf2 - not working - encoding not clear Help user-management , automatic-migration	5	818	November 17, 2023
Importing users from SAP Commerce Cloud (pbkdf2-sha1), login fails Help user-management , user-import-export	0	962	May 1, 2023

Can't log in using imported pbkdf2 hashed passwords

Related topics