Verification Failed for the Provided custom_password_hash

auth0.knowledge2 · January 21, 2025, 10:16pm

Overview

When a user attempts to log in using the correct password following a custom password hash import, the login fails, and the tenant logs record the following error:

Password change required error with reason Verification failed for the provided custom_password_hash

Applies To

Bulk user import
Custom password hashes

Cause

This error is expected when a user enters the wrong password, as Auth0 cannot be certain if there is an issue with the hash provided or the password is simply incorrect, as detailed in this community article:

Password Change Required After Password Hash Import

However, if the password is verifiably correct, then there is most likely an issue in the provided custom_password_hash object, leading to Auth0 generating a different hash at the point the user logs in to what is stored on the user account.

Solution

Check the documentation below that all the necessary details are included in the user’s import object:

Custom password hash

Depending on the algorithm in use on the legacy system, the contents of the custom_password_hash object will need different attributes:

Supported hash algorithms

The most common issues with custom password hashes are encoding-related issues.

For example, there may be a mismatch between the encoding used for the hash that is provided and what the encoding is specified as in the import.

Another potential cause is if the plaintext password is converted to bytes differently by the source/legacy system—by default, Auth0 will use UTF-8 to encode the password string to bytes before attempting hashing, but the source system may have used a different encoding when the original hash was generated.

This can be accounted for by specifying the password.encoding attribute:

If the source system used UFT-16 LE to encode the original password before hashing, the below would be required to allow the hash to be generated in the same way by Auth0 to check the password is correct:

      "custom_password_hash": {
        "algorithm": "sha1",
        "hash": {
          "value": "HASH_IN_BASE64_HERE",
          "encoding": "base64"
        },
        "salt": {
          "value": "SALT_IN_BASE64_HERE",
                     "encoding": "base64",
          "position": "prefix"
        },
        "password": {
          "encoding" :"utf16le"
        }
      }

Topic		Replies	Views
Import user with custom password hash Help user-management , user-import-export	3	1747	March 31, 2023
Password change is required after importing Help	2	1526	May 11, 2023
Import user with custom password hash using pbkdf2 algorithm Help user-management , user-import-export	2	1198	July 17, 2023
"ONE_OF_MISSING" with Custom Password Hash Help	6	4772	September 11, 2020
Migrate KeyCloak to Auth0 error with Password Change Required message Help auth0 , migration	0	2268	May 16, 2022

Verification Failed for the Provided custom_password_hash

Overview

Applies To

Cause

Solution

Related topics