How do I handle users without passwords during import



  • Asking for a friend. 🙂

    About half of our users don't have passwords set as they are authenticated via third party ID providers such as Google. While importing users from an existing system, I'm not setting anything for password and salt fields, which is causing the import to throw You must specify the [user.password] property for each user. error (using the FA's .net client). What would I set for password and salt in this case? Thank you!



  • You'll want to set the password to something random. You will not need to set the salt, it will be generated for you during import when providing a plain text password.

    Here is a Java example to generate a strong random password.

    public static String secureRandom(int bytes) {
      SecureRandom random = new SecureRandom();
      byte[] buf = new byte[bytes];
      random.nextBytes(buf);
      return Base64.getUrlEncoder().withoutPadding().encodeToString(buf);
    }
    
    String randomPassword = secureRandom(32);
    

    32 bytes is generally considered adequate. A Base64 encoded character has 62 possible values, and an entropy per character of 5.954 bits. A 16 byte token provides approximately 131 bits of entropy (22 characters * 5.954). A 32 byte token provides approximately 256 bits of entropy (43 characters * 5.954).

    As a side note, during the Import, if you provide a password directly, i.e. not a hash - then FusionAuth will hash the password inline before it stores the value. If you have a lot of users, this will significantly slow the import process.



  • Out of curiosity, "then FusionAuth will hash the password inline before it stores the value". What determines a non-hashed password? The absence of salt?



  • If you omit the encryptionScheme property on the user, FusionAuth will assume you are importing a plain text password.

    https://fusionauth.io/docs/v1/tech/apis/users#import-users

    If you were importing a hashed password, you'd have the encryptionScheme, factor, salt, and password (in hash form).



  • Ahh! So leave out encryptionScheme, factor, and salt and set password to a 32 bytes random password. Makes sense. Thank you!



  • @ashok you got it!


Log in to reply