Password Change Required After Password Hash Import

Problem Statement

After a password hash import and before a successful login, if an imported user inputs wrong credentials Auth0 returns a “Password change required” error on the tenant logs. The expected error was “wrong username or password”.

Symptoms

  • Imported users with password hashes
  • Log in a user before a successful login with an incorrect password and notice the “Password change required” on the tenant logs.

Solution

This happens because Auth0 rehashes the passwords after a successful login, so before this happens Auth0 cannot confirm if the login failed because of wrong credentials or an incorrect password hash, so the error cannot be “wrong username or password” as it happens on subsequent fails after a successful login upon inputting wrong credentials.

An internal error message that is more detailed and explicitly calls the attention that this failed during the validation of an imported hash so either the password as given by the end-user is incorrect or the hash itself was imported incorrectly for the user would be useful and not misleading as the current error description.

1 Like