Migrating users with password_hash that have have cost of 12 rounds

engineering4 · December 12, 2020, 12:45am

Hi… We have recently upgraded our bcrypt ruby gem which is why some of our passwords are encrypted with cost 12. Older passwords are cost 10

These newer passwords are failing your reg ex matching which means we can’t import more recent customers

eg.

$2a$12

prefix vs these that are fine

$2a$10

"errors": [
  {
    "code": "PATTERN",
    "message": "Error in passwordHash property - String does not match pattern ^\\$2[ab]?\\$10+\\$[./A-Za-z0-9]{53}$: $2a$12$2FiyJRDlILafg.46m623KOj5IN1Xa2G9sllzVbVoT3uKbpfaoBLHC",
    "path": "passwordHash"
  }
]

We tried and tested your migration process a couple of months ago with no issues. This issue has surfaced last minute so could really use some help getting this over the line. Do you not allow passwords with cost 12?

sidharth.chaudhary · December 12, 2020, 6:48am

Hey @engineering4, Welcome to the Auth0 community!

I tested a bcrypt with 12 rounds , by importing a custom password hash for it, by the import/export extension and it seems to work correctly. It is supported there.

Generated the bcrypt from here:

Then imported the following sample json payload using the import extension:

[
    {
            "user_id": "1207423456745",
            "email": "test@contoso.com",
            "custom_password_hash": {
                "algorithm": "bcrypt",
                "hash": {
                    "value": "$2y$12$FI9sV48tF.wWUVpE04Hauu97oPHs0nBvJICh6XZ1A01d8CSVH0YoG"
                }
            }
    }
]

More info:

After that I was able to login with the password.

Have a try and let me know!

Regards,
Sid

engineering4 · December 12, 2020, 9:17pm

Thanks for the quick reply. Great help. I was using just

"user_id": "1207423456745",
"email": "test@contoso.com",
"password_hash": "$2y$12$FI9sV48tF.wWUVpE04Hauu97oPHs0nBvJICh6XZ1A01d8CSVH0YoG"

I tried by both API and the extension but seeing this issue in both… You can see from the regular expression in the error message

^\$2[ab]?\$10+\$[./A-Za-z0-9]{53}

that it’s expecting the literal string

$10

Which is why I was worried.

Switching to use your payload structure and specifying bcrypt explicitly sorted this issue.

            "custom_password_hash": {
                "algorithm": "bcrypt",
                "hash": {
                    "value":

Thanks!!!

konrad.sopala · December 14, 2020, 9:46am

Glad it’s working now and thanks for sharing it with the rest of community!

engineering4 · December 16, 2020, 6:06am

Just to share the documentation I missed in case anyone else comes across this.

Whoops

konrad.sopala · December 16, 2020, 1:58pm

Thanks for sharing that with the rest of community!

system · December 31, 2020, 1:58pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import users with a bcrypt password hash salted with 12 rounds Help user-import , bcrypt	4	7345	September 5, 2020
User Import Fails with Error: "Error in passwordHash Property - String does not Match Pattern" Knowledge Articles	1	644	October 4, 2023
Bulk Import tool with hashed password Help	3	4100	July 30, 2019
Import hashed bcrypt passwords Help management-api , users	0	724	June 15, 2023
Password error in migrate users Help migrate-users	7	3692	May 24, 2020

Migrating users with password_hash that have have cost of 12 rounds

Related Topics