Migrating users with password_hash that have have cost of 12 rounds

engineering4 · December 12, 2020, 12:45am

Hi… We have recently upgraded our bcrypt ruby gem which is why some of our passwords are encrypted with cost 12. Older passwords are cost 10

These newer passwords are failing your reg ex matching which means we can’t import more recent customers

eg.

$2a$12

prefix vs these that are fine

$2a$10

"errors": [
  {
    "code": "PATTERN",
    "message": "Error in passwordHash property - String does not match pattern ^\\$2[ab]?\\$10+\\$[./A-Za-z0-9]{53}$: $2a$12$2FiyJRDlILafg.46m623KOj5IN1Xa2G9sllzVbVoT3uKbpfaoBLHC",
    "path": "passwordHash"
  }
]

We tried and tested your migration process a couple of months ago with no issues. This issue has surfaced last minute so could really use some help getting this over the line. Do you not allow passwords with cost 12?

sidharth.chaudhary · December 12, 2020, 6:48am

Hey @engineering4, Welcome to the Auth0 community!

I tested a bcrypt with 12 rounds , by importing a custom password hash for it, by the import/export extension and it seems to work correctly. It is supported there.

Generated the bcrypt from here:

Then imported the following sample json payload using the import extension:

[
    {
            "user_id": "1207423456745",
            "email": "test@contoso.com",
            "custom_password_hash": {
                "algorithm": "bcrypt",
                "hash": {
                    "value": "$2y$12$FI9sV48tF.wWUVpE04Hauu97oPHs0nBvJICh6XZ1A01d8CSVH0YoG"
                }
            }
    }
]

More info:

After that I was able to login with the password.

Have a try and let me know!

Regards,
Sid

engineering4 · December 12, 2020, 9:17pm

Thanks for the quick reply. Great help. I was using just

"user_id": "1207423456745",
"email": "test@contoso.com",
"password_hash": "$2y$12$FI9sV48tF.wWUVpE04Hauu97oPHs0nBvJICh6XZ1A01d8CSVH0YoG"

I tried by both API and the extension but seeing this issue in both… You can see from the regular expression in the error message

^\$2[ab]?\$10+\$[./A-Za-z0-9]{53}

that it’s expecting the literal string

$10

Which is why I was worried.

Switching to use your payload structure and specifying bcrypt explicitly sorted this issue.

            "custom_password_hash": {
                "algorithm": "bcrypt",
                "hash": {
                    "value":

Thanks!!!

konrad.sopala · December 14, 2020, 9:46am

Glad it’s working now and thanks for sharing it with the rest of community!

engineering4 · December 16, 2020, 6:06am

Just to share the documentation I missed in case anyone else comes across this.

Whoops

konrad.sopala · December 16, 2020, 1:58pm

Thanks for sharing that with the rest of community!

system · December 31, 2020, 1:58pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.