Hash password via password reset

mario3 · November 12, 2020, 7:00pm

Hello everyone!
We are at the moment attempting to hash a password via the password reset using universal login.

imagine something like this
const shaObj = new jsSHA(“SHA-256”, “TEXT”, { encoding: “UTF8” });
shaObj.update(password);

is there anyway we can hash the password before submitting using the universal login password reset?
from my understanding and looking at the code the inputs are at the moment being generated via a JS Function which appears to be limited to what you can do with it.

Thanks

dan.woda · November 13, 2020, 5:35pm

Hi @mario3,

Welcome to the Community!

There isn’t going to be a straightforward way to do this. Can I ask why you would want to?

mario3 · November 13, 2020, 6:32pm

We’re trying to migrate our old authentication signin from our old system and it was using pre hashing before submitting it to the DB thats the reason why we are trying to do it.

trying to keep that consistent thank you

dan.woda · November 13, 2020, 7:01pm

I see. Are you migrating your hashes over and you are worried they won’t work without the first round of hashing?

Timish · November 13, 2020, 7:51pm

Hey,
I am from the same team, so I gonna continue from here.

So I did migrate all of our userbase to auth0. I saved all passwords from the old base for convenience. The old app was prehashing passwords on the client with sha256 before sending them to server that was hashing them with bcrypt. I found way to prehash on login and registration in universal login form, but reset password is made of js function only and is being generated, so I could’t find the straight way to prehash. I thought to hide form and just have custom inputs with custon submit button that would just prehash, put prehashed values to inputs and fire the original submit button. But the value of original input buttons aren’t getting updated. Is there a proper and fast way to resolve this issue ? or you would suggest other ways of solving this ?

dan.woda · November 30, 2020, 9:13pm

You could always create your own pw reset flow with the management API, but this will require extra effort on your side.

Out of curiosity, why you are doing this?

If an attacker got ahold of the hashed password they could simply use that to access the user’s account. I see how you could potentially be preventing a cred stuffing attack by obscuring a reused pw, but I’m not sure this is adding much security for your app, and it will certainly complicate things for using Auth0.

system · November 30, 2020, 9:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.