Password Change Required After Password Hash Import

Problem Statement

After a password hash import and before a successful login, if an imported user inputs the wrong credentials Auth0 returns a “Password change required” error on the tenant logs. We expect a “wrong username or password” error instead.

Solution

The “Password change required” error was raised because Auth0 rehashes the passwords after a successful login. Before this happens, Auth0 cannot confirm if the login failed because of wrong credentials or an incorrect password hash. Therefore, the error cannot be “wrong username or password” as it happens on subsequent fails after a successful login upon inputting wrong credentials.

We have submitted a feature request about providing more details in the error message.