0

We have a dataset of usernames and passwords that we'd like to migrate to FusionAuth.

According to the tutorial, we can write a password encryptor to implement our hashing logic, so we don't have to ask users to reset their passwords.

However, we'd like to benefit from the available encryptors for new users or when migrated users reset their passwords. It's my understanding we can't convert the salted hash passwords to other encryptors.

Is there a strategy for that?

Thanks!

AlvMF1
  • 150
  • 1
  • 2
  • 11

1 Answers1

0

If I understand correctly, you want to migrate users with an existing hash, but have the option to upgrade that hash at runtime without any user impact?

This is possible, you import the hash as you have it, and then configure FusionAuth to upgrade the hash at next login to the configured default.

When you enable 'Re-hash on login' if the user's hash does not match the configured scheme and factor, FusionAuth will upgrade the hash and the user will not be affected.

Find this setting is the UI, see Settings --> System --> Passwords.

enter image description here

robotdan
  • 1,022
  • 1
  • 9
  • 17
  • That's an awesome feature! However, I'm not sure how to write the encryptor... Our hashes contain a random salt in it: they look like `:` (I know, I didn't write that). What we do is, we split the hash on the `:` to get the salt and and generate the md5 of password + salt to check if they match. So in order to do the same, we'd have to have access to the user's password hash beforehand. Any thoughts? – AlvMF1 Jun 26 '19 at 21:06
  • That should still work, that is common way to store the hash. During import you'll split on `:` as you mentioned, and then use those parts on the Import API. The first part is the hashed password, the second is the salt, in your case encryption scheme is `salted-md5`, and factor will be `1`. No need to write your own encryptor unless you're using something really non-standard, let me know if that is the case. See Import API https://fusionauth.io/docs/v1/tech/apis/users#import-users and Password Encryptors for more info. https://fusionauth.io/docs/v1/tech/reference/password-encryptors – robotdan Jun 27 '19 at 01:11
  • Thanks again for the response. I tried doing that, but can't login on FusionAuth after import. I tried `salted-md5` of salt=`4MTVxbvk8swI0ys2Lf4saeR3swRvn0f2` and password=`password` that yields `e0198a696980741ec49e2c56615fbc98`. Unless it's not `salt + password`, but `password + salt`? :) – AlvMF1 Jun 27 '19 at 04:22
  • Can you (safely) provide a raw entry that is in the pattern you describe with the `:` separator and a known password (plain text) so I can test to see what type of hash it contains? If not, if you join the FusionAuth slack channel you can DM me or use the contact form on fusionauth.io. – robotdan Jun 27 '19 at 14:37
  • That's the pattern we have: `e0198a696980741ec49e2c56615fbc98: 4MTVxbvk8swI0ys2Lf4saeR3swRvn0f2` and password is `password` for this one. – AlvMF1 Jun 27 '19 at 16:27
  • I cracked it, open a GitHub issue for this and I'll give you some working code and help you with the plugin to get the import working. – robotdan Jun 27 '19 at 21:53
  • I stubbed some code out for you. https://github.com/FusionAuth/fusionauth-issues/issues/204 – robotdan Jun 27 '19 at 22:06