Problem statement
We are trying to bulk import users with password hashes from a legacy PHP application. The passwords have been hashed with the crypt() function available in PHP. When passing the salts to the crypt() function, they prefix the salt with a string like “$6$rounds=4096$” which specifies the number of rounds.
The password hashes are imported, but when users try to log in, they get this error: “You need to update your password because this is the first time you are logging in, or because your password has expired.”
Cause
Password hashes generated this way are passed through the algorithm (like SHA512) multiple rounds. Auth0 supports importing of SHA-* hashes, but only ones that have been hashed a single time - not looped multiple times.
Solution
Since Auth0 does not support importing these hashes, the two options are:
- Bulk import without the password hashes - the users will need to reset their passwords
- User a Custom Database with Import mode (automatic migration) - this will slowly migrate all the users without having to reset their passwords.