FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How do I handle users without passwords during import

    Scheduled Pinned Locked Moved
    Q&A
    2
    6
    17.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • robotdanR
      robotdan
      last edited by

      Asking for a friend. 🙂

      About half of our users don't have passwords set as they are authenticated via third party ID providers such as Google. While importing users from an existing system, I'm not setting anything for password and salt fields, which is causing the import to throw You must specify the [user.password] property for each user. error (using the FA's .net client). What would I set for password and salt in this case? Thank you!

      1 Reply Last reply Reply Quote 0
      • robotdanR
        robotdan
        last edited by

        You'll want to set the password to something random. You will not need to set the salt, it will be generated for you during import when providing a plain text password.

        Here is a Java example to generate a strong random password.

        public static String secureRandom(int bytes) {
  SecureRandom random = new SecureRandom();
  byte[] buf = new byte[bytes];
  random.nextBytes(buf);
  return Base64.getUrlEncoder().withoutPadding().encodeToString(buf);
}

String randomPassword = secureRandom(32);

        32 bytes is generally considered adequate. A Base64 encoded character has 62 possible values, and an entropy per character of 5.954 bits. A 16 byte token provides approximately 131 bits of entropy (22 characters * 5.954). A 32 byte token provides approximately 256 bits of entropy (43 characters * 5.954).

        As a side note, during the Import, if you provide a password directly, i.e. not a hash - then FusionAuth will hash the password inline before it stores the value. If you have a lot of users, this will significantly slow the import process.

        1 Reply Last reply Reply Quote 0
        • A
          ashok
          last edited by

          Out of curiosity, "then FusionAuth will hash the password inline before it stores the value". What determines a non-hashed password? The absence of salt?

          1 Reply Last reply Reply Quote 0
          • robotdanR
            robotdan
            last edited by

            If you omit the encryptionScheme property on the user, FusionAuth will assume you are importing a plain text password.

            https://fusionauth.io/docs/v1/tech/apis/users#import-users

            If you were importing a hashed password, you'd have the encryptionScheme, factor, salt, and password (in hash form).

            1 Reply Last reply Reply Quote 0
            • A
              ashok
              last edited by

              Ahh! So leave out encryptionScheme, factor, and salt and set password to a 32 bytes random password. Makes sense. Thank you!

              1 Reply Last reply Reply Quote 1
              • robotdanR
                robotdan
                last edited by

                @ashok you got it!

                1 Reply Last reply Reply Quote 0
                • mark.robustelliM mark.robustelli referenced this topic on
                • First post
                  Last post