Unsupported password hash algorithm during bulk user import job

djrazor308 · November 29, 2021, 1:42am

Hi,

Is it possible to force the user to change his password after first login? I’m using a bulk user import job and each user has a custom hashed password section filled. However, I need the user to change the pass after login. I import ~500 users, so I don’t want to create a 500 ‘password change’ requests, especially because there is no way to do that for several users in a row. Please, correct me if I’m wrong.
After searching I found this article: Bulk User Imports and this particular pre-request::

If you are importing passwords, make sure the passwords are hashed using one of the supported algorithms. Users with passwords hashed by unsupported algorithms will need to reset their password when they log in for the first time after the bulk import.*
I tried to use an unsupported hash algorithm, but in that case users weren’t imported at all. Is this way still relevant? If so, how should I modify my user object so Auth0 understands unsupported algorithm, imports a user and forces him to change the pass?

djrazor308 · November 29, 2021, 1:45am

Sorry, formatting issue. It should be:
…and this particular pre-request:: If you are importing passwords, make sure the passwords are hashed using one of the supported algorithms. Users with passwords hashed by unsupported algorithms will need to reset their password when they log in for the first time after the bulk import.

I tried to use an unsupported hash algorithm, but in that case users weren’t imported at all. Is this way still relevant? If so, how should I modify my user object so Auth0 understands unsupported algorithm, imports a user and forces him to change the pass?

derwald · January 18, 2023, 10:30am

I have exactly the same question. @djrazor308 Did you find a solution?

derwald · January 18, 2023, 10:45am

Or @dan.woda , do you have any idea on this?

dan.woda · January 18, 2023, 2:23pm

Yes, this is possible. The Classic Universal Login experience will throw an error if you pass a bad hash. There is an example of it in this thread:

derwald · January 18, 2023, 2:34pm

Thank you for the very quick response, will test it!

derwald · January 18, 2023, 3:24pm

@dan.woda I tried to willingly create an invalid hash for the examples listed here Bulk User Import Database Schema and Examples. For some algorithms, like bcrypt, an incorrect hash will not even import the new user; and for some others, like md4, I couldn’t create an incorrect hash.

Do you happen to know which incorrect hash (if possible please with an example, including which algorithm and which hash value), will:

Import the user
When that users tries to login, will see a screenshot like in Error after importing user with custom password hash

Thank you so much for your help!

dan.woda · January 18, 2023, 3:49pm

Here’s and example of what I used:

[
  {
    "user_id": "2000",
    "email": "examplecouser20@example.com",
    "given_name": "ExampleCo User",
    "name": "ExampleCoUser20",
    "custom_password_hash": {
      "algorithm": "bcrypt",
      "hash": {
        "value": "$2a$10$aHF7mbpWTzzz7PJVtwtjNelaKbszikcYBCB2jibvbFcGFmOsu/s4K"
      }
    }
  }
]

derwald · January 18, 2023, 4:16pm

Thanks…unfortunately for me that results in a message ‘Wrong password’ when I try to login for that user and does not result in this ‘Password needs to be updated because of first time login’ message. Are you sure it is an incorrect hash?

dan.woda · January 18, 2023, 5:45pm

Are you using Classic UL?

system · February 1, 2023, 5:45pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.