We are slowly transitioning towards Auth0. Right now we have a machine-to-machine app that takes care of authenticating. But we are sending the password in plain text to the api (Authentication API Explorer)
However we would like to avoid sending any password in plain text. For that we would like to hash them. But I dont know if i can send the password hashed and auth0 will “understand” it. I dont think so unless i hash them all before saving them in the auth db.
So i can hash them all as I have seen some people do, however if we migrate to a full auth0 login im unsure how can we “hash in the middle” so we can validate the password. And even more complex if we think about the password change. though we might be able to have an auth0 action that changes the password again to the hashed version
Either way I would like to ask for your guidance regarding how can I avoid sending any password in plain text with the least amount of hassle, taking into account the future transitioning to the auth0 login
Welcome to the Community!
Outside of the bulk import features, Auth0 doesn’t offer the ability to work with a password hash instead of a password.
That isn’t to say you couldn’t send the hashes as passwords (although, it’s possible this could have some unforeseen consequences), but they would not work once you migrated to Universal Login and users are submitting username/password directly to Auth0.
You will eventually need to bulk migrate the hashes (which would work as long as they are the correct format) or do an Automatic Migration in that scenario.
It might be easier to simply wait until you are ready to migrate to Auth0 then to deal with the hashes during individual auth requests. If you haven’t seen this blog yet, it will help you understand the strategies for migrating: Technical Strategies for Migrating Users to Auth0
Thank you for all the help provided. It has helped a lot.
Another question now that I have you. In the universal login, the password is sent to the backend in clear text or is hashed before sending the post?
If you inspect the request, you can see the password is sent in a POST to the backend in plaintext.
And isn’t that considered risky?
I checks and i saw it was like that but i wanted to validate
This is a great question. I always assumed it is because we trust HTTPS to encrypt it in transit (which we do), but it goes deeper then that.
Thanks for asking a good question. TIL’d.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.