Importing users with pbkdf2 hashed passwords

Curious if anyone has been able to successfully import hashed passwords from an ASP.NET Identity based solution.

Everything I am seeing indicates that I should be able to do this but so far I haven’t had any luck.

The default hashing algorithm is implemented with PDKDF2 & HMAC-SHA1 (1000 iterations)[Reference]

This hashing scheme appears to be supported in the documentation Bulk Import #PBKDF2 and the import job does successfully complete but when I attempt to log in with the imported user’s password I get a message indicating that I need to reset the password.

I am aware that the ASP.NET PasswordHasher is pre-pending a single byte to the hash that is stored in the database that indicates the algorithm version and I am removing that before passing in the hash.

Here is an example of what I am sending in w/ the actual hash removed.
[
{
“email”: “example@example.com”,
“email_verified”: false,
“custom_password_hash”: {
“algorithm”: “pbkdf2”,
“hash”: {
“value”: “$pbkdf2-sha1$i=1000,l=64${realHashRemoved}”,
“encoding”: “utf8”
}
}
}
]

Any help would be appreciated. Thanks!

1 Like

For anyone who stumbles on this topic.

I was able to get this resolved with the help of Auth0 support.

There were two issues with my import:

  1. The “hash”:{“value”:} was an incorrect format. I needed to split the salt out and add it to the beginning of the string (as indicated in the documentation).
  2. The key length I was passing in was incorrect. I was using the default/example value of l=64 but the actual ASP.NET v2 identity key is only 256 bits or 32 bytes so the value needed to be l=32

For reference this was the correct format:

“value”: “$pbkdf2-sha1$i=1000,l=32${salt}${hash}”

3 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.