Migration of users (bulk import) with pbkdf2 - not working - encoding not clear

I am trying to bulk import and check that the pbkdf2 password works but it doesn’t
passworkd = ‘12345678’ salt = ‘TUN0EKuE’ (binary ascii) iterations=150000, keyl=64

our db saves it as “$pbkdf2-sha256$i=150000$TUN0EKuE$4dfeab07c9972d63a113b834e058467ecf0a0a0c80963f02937beec8cf3382b0”

(i’ve check via code, and 2 websites the hash is the correct hex value)

but after import, login fails with wrong password (and need to change because it can’t verify a custom hash)

  "details": {
    "error": {
      "message": "Password change required.",
      "reason": "Verification failed for the provided custom_password_hash: {'algorithm':'pbkdf2','hash':{'value':'$pbkdf2-sha256$i=150000,l=64$TU...'},'salt':{'value':''}}"

i have imported 12 versions of this :
salt as binary (ascii), salt as hex string of binary, salt as base64 of binary and salt as base64 of the hex string of the binary
hash as hex string, hash as base64 of binary value, and hash as base64 of hex string
(4 salts time 3 hashes)
the following:


I am looking for ideas on what i’m doing wrong ?

Help is appeciated

Hi @noamb,

Welcome to the Auth0 Community!

Thanks for sharing the relevant info. Can you please provide an example user import json?

    "email": "noam.berg31@gmail.com",
    "email_verified": true,
    "custom_password_hash": {
        "algorithm": "pbkdf2",
        "hash": {
            "value": "$pbkdf2-sha256$i=150000,l=64$TUN0EKuE$Tf6rB8mXLWOhE7g04FhGfs8KCgyAlj8Ck3vuyM8zgrA"
    "app_metadata": {
        "exp": "salt is binary (ascii), hash is binary as base64",
        "at_bay_user_id": "0c75e1df-fb1f-462a-91bb-9076874e860b",
        "version": 1,
        "imported": true,
        "user_type": "BP_USER"
    "given_name": "Noam Test BP",
    "family_name": "Berg Test BP"

We found the issue:

  1. both salt and hash need to be a base64 (without padding) of the binary datas
  2. our original creation of the hash was done with python hashlib.pbkdf2_hmac it seems that the default keylen is 32 (and not 64 as we thought)

also an online tool we used to verify our code seems to have a bug because it asks for keylen and when given 64 it generated 64 hex string (=32 bytes) so it fooled us to think our keylen was 64.

this is the correct hash value (original password is 12345678 )

I am posting this in hopes it will help someone in the future

1 Like

Thanks for following up with a solution @noamb! Very helpful.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.