Problem statement

The users imported with this algorithm can’t log in.

Symptoms

Users’ passwords don’t work after import

Steps to Reproduce

• Import user with pbkdf2 algorithm
• Log in with known previous password

Cause

There could be different causes:

• The algorithm is not correct
• The string value lacks salt
• The length is not correct
• The digest is not correct

Solution

The hash.value must be provided in the PHC string format. The digest should be appended after the pbkdf2 part of the string with a dash: pbkdf2-<digest>.

“value”: “$pbkdf2-sha1$i=1000,l=64${salt}${hash}”

where:

• i is the iteration count (integer).
• l is the derived key length / dklen (integer value equal to number of bytes. e.g. a 512 bit key would be 64 bytes).

Both the salt and hash need to be B64 encoded - i.e. base64 with padding characters omitted (‘=’).

A common pitfall is to use a B64 encoding tool that expects a UTF-8/ASCII string when the hash in the legacy system is encoded differently, for example hexadecimal. Please ensure the correct input encoding for the chosen tool is used when deriving the B64 encoded value for the import JSON.

Related References

• Bulk User Import Database Schema and Examples - PBKDF2
• PHC string format
• Importing users with pbkdf2 hashed passwords
• Can’t log in using imported pbkdf2 hashed passwords