Migrating users from a sha256 password

inspiran · March 24, 2023, 4:55pm

Hello,

passwords for our users were initially made using sha256_crypt.hash() in python resulting in following format : $5$rounds=535000$qgfr4.Ky9h/ODeTk$ByU6XFDg1UIUAboU/mOWP7v55h46x0hjdBHVQhaLtP4

Unfortunately the passwords do not match after importing users. The json contains the algorithm, hash and salt. Not sure though if the position of the salt is prefix,.

 "custom_password_hash": {
      "algorithm": "sha256",
      "hash": {
        "encoding": "base64",
        "value": "QnlVNlhGRGcxVUlVQWJvVS9tT1dQN3Y1NWg0NngwaGpkQkhWUWhhTHRQNA=="
      },
      "salt": {
        "position": "prefix",
        "value": "qgfr4.Ky9h/ODeTk"
      }
    },

Python code used to construct the json part:

            parts = original_password.split('$')
            password_bytes = parts[4].encode('ascii') #get the hash
            password_base64_bytes = base64.b64encode(password_bytes)
            password_data = password_base64_bytes.decode("ascii")

"custom_password_hash": {
                "algorithm": "sha256",
                "hash": {
                    "value": password_data,
                    "encoding": "base64"
                },
                "salt": {
                    "value": parts[3],
                    "position": "prefix"
                }
            }

Any help would be appreciated! Kind regards, Daniel

dan.woda · March 27, 2023, 8:09pm

Hi @inspiran,

Welcome to the Auth0 Community!

I understand you are having trouble with a password hash import, I’ll look into it and get right back to you.

Thanks,
Dan

dan.woda · March 28, 2023, 1:12pm

What library are you using?

inspiran · March 28, 2023, 1:24pm

Hi Dan,

We are using
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha256_crypt.html

encrypted_pwd = sha256_crypt.encrypt(plain_text_password)

inspiran · April 4, 2023, 4:47pm

Any update on your findings Dan?

dan.woda · April 7, 2023, 6:30pm

Hi @inspiran,

Apologies for the delay. I did a deep dive on this and discovered that you are limited to a max of 10k rounds for SHA256

If you don’t have those, then you will need to import users without hashes. Here’s a resource on that:

system · June 26, 2023, 5:38pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there any way to import user with password salted twice ? (prefixed/suffixed) Get Help auth0 , api , user-import	3	2687	March 25, 2021
Migrate users in bulk from external database Get Help migrate-users	8	3374	February 17, 2021
Bulk Import tool with hashed password Get Help	3	4149	July 30, 2019
Import users with a bcrypt password hash salted with 12 rounds Get Help user-import , bcrypt	4	8281	September 5, 2020
Bulk Import of users with hashed passwords using Java BCrypt - import succeeding but password not carrying over Get Help password , hash , password-hash	4	5741	November 6, 2019

Migrating users from a sha256 password

Related topics