Import users with a bcrypt password hash salted with 12 rounds

Hi all,
I am working on importing users from a custom db into an auth0 db. Our previous datastore utilized flask_bcrypt which by default uses 12 salt rounds so our passwords are prepended with $2b$12$ (12 rounds) vs $2b$10$ (10 rounds).

According to the documentation, the standard password_hash import requires bcrypt with 10 rounds.

Does Auth0 support custom password hashes with salt rounds other than 10? If not what are options for importing users without requiring a password change?

Thanks!

If your hashes don’t use 10 rounds you won’t be able to import them through the password_hash property because that one makes an assumption on both the algorithm and number of rounds.

However, bcrypt is a supported algorithm to be imported as the custom_password_hash property which should then allow you to import the 12 round hashes you currently use although I confess I haven’t tested this recently. In order to use custom_password_hash you’ll have to adjust the import schema as it’s not just providing the string hash directly (custom_password_hash is actually an object), but the documented you linked covers that format as well (see https://auth0.com/docs/users/bulk-user-import-database-schema-and-examples#bcrypt).

1 Like

Hi jmagelo!

Thanks for the reply. Looks like as long as we use custom_password_hash auth0 can infer the number of password rounds from the value itself. The following payload worked for me. Thanks for your help on this!

[
  {
    "email": "demo@example.com",
    "email_verified": false,
    "custom_password_hash": {
        "algorithm": "bcrypt",
        "hash": {
            "value": "$2y$12$0QPGUIpFXxgNOjeF2vNGgOyHGrv/pgrwGsFL6uGX5VEWsw3iG4.JK"
        }
    }
  }
]

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.