Topics tagged with passwords

Importing users over time

dan — Invalid Date

I think the way I'd approach this is:

import all users into FusionAuth

At cutover time:

look at local database to see which password hashes had changed pull the user data from FusionAuth for each of these users delete the user re-import the user with the new password hash and the FusionAuth data, maintaining the same userId (if you provide the UUID, we'll use that)

I get that is an additional complexity, but hopefully that helps.

Display password to users

dan — Invalid Date

There is no built in support for this, but you may be able to modify your theme to allow for this functionality using javascript.

Here is a relatively simple example online - https://www.w3schools.com/howto/howto_js_toggle_password.asp - that should be helpful.

Password that never expires?

dan — Invalid Date

If you needed to, you could always build an API integration (the User Update API lets you reset passwords, or you could initiate a Change Password Request) into your application for a specific user.

Migrating users from in-house system to FusionAuth

mgetka — Invalid Date

You can implement any password hashing scheme as a plugin and load it into FusionAuth. Then you simply migrate the user using new scheme. There is a tutorial on that matter in the docs.

Breached passwords and registrations

dan — Invalid Date

If you want to use the breached password detection feature, then that check will be applied for any new account registrations.

You could always disable the breached password detection feature.

Sorry, I don't have a better answer for you.

Password validation rules

dan — Invalid Date

Our validation takes in inverse approach. The setting is actually to require a non-alphanumeric character. So any character that is not alphabetic, or a digit, will satisfy this requirement.

There is not a fixed set of symbols as this would reduce the password entropy, which is generally a bad idea.

I have a fusionauth license, can I install it on non-prod systems?

dan — Invalid Date

Actually, as of when I write this post, we have two license keys available for anyone with a paid edition. One is a prod license and the other is a non prod license. The latter is a good fit for testing, CI, etc.

Creating a user with a hashed password

dan — Invalid Date

Currently the only way to accomplish this will be to use the Import API, as you mentioned: https://fusionauth.io/docs/v1/tech/apis/users#import-users

We do have an open feature request to allow hashes to be provided on the User API, which I think would be what you're looking for: https://github.com/FusionAuth/fusionauth-issues/issues/348

Feel free to upvote that issue.

Are there any disallowed characters in passwords?

robotdan — Invalid Date

In the UI you can select "Special character" to require at least one special character. If anyone is looking to understand which characters will satisfy this requirement read on.

If you view the tooltip or the API - you’ll see the configuration is actually for non-alpha-numeric.

https://fusionauth.io/docs/v1/tech/apis/tenants#create-a-tenant

tenant.passwordValidationRules.requireNonAlpha
Whether to force the user to use at least one non-alphanumeric character.

So instead of limiting this to a specific set of special characters, we allow it to be any character that is not a unicode alphabetic and not a digit. In this way, we do not artificially limit the entropy of the password by saying you must use one or more characters for a finite set of "special characters" as you may be used to seeing on some login forms.

Password policies for password based logins?

dan — Invalid Date

You set these at the tenant level.

Home / Settings /Tenants / Edit in the admin UI.

You can also use the API or a kickstart file to set these.