User Passwords Not Working After Bulk Importing Users with MD4 Algorithm Specified

lihua.zhang · April 19, 2023, 10:15pm

Last updated: Nov 7th, 2024

Overview

After importing users with passwords hashed with MD4, users are not able to log in with their existing password.

Invalid username or password errors observed by users despite valid credentials being provided.
To reproduce this issue, bulk import one or more users with the custom_password_hash algorithm set to md4 and a valid MD4 hashed password included. For example:

{
  "email": "name@domain.com",
  "email_verified": false,
  "custom_password_hash": {
        "algorithm": "md4",
        "hash": {
              "value": "OGZiZDdjNTQ1Nzk4Yzk3OGM1ZDk0MTRmMmQ5MzBkMzg=",
               "encoding": "base64"
         }
     }
  }
]

Once imported, try to log in with the plaintext password. The login will be denied despite the credentials being correct.

Cause

This is often caused by the wrong encoding being set. For example, setting custom_password_hash.hash.encoding to base64 when the hash value is hex-encoded.

Solution

Make sure that the appropriate hash encoding value is used. This can be tested by hashing and encoding a known password of an existing user and comparing it to the existing hashed password.

Topic		Replies	Views
Error after importing user with custom password hash Help login , bulk-user-import	3	2154	July 28, 2022
Error importing users with custom password hash Help import , user-import , password-hash , bulk-user-import	4	5277	June 11, 2020
Unsupported password hash algorithm during bulk user import job Help	10	3293	February 1, 2023
Facing error while users-imports job Help management-api , jobs	2	282	February 19, 2024
Password change is required after importing Help	2	1516	May 11, 2023

User Passwords Not Working After Bulk Importing Users with MD4 Algorithm Specified

Overview

Cause

Solution

Related topics