Can I use FusionAuth with a dynamic factor/number of iterations?

dan

I have a hashing scheme for my users' passwords which is a bit weird.

There is an algorithm which examines the plaintext password (presented at registration or login) and then calculates the factor based (the number of times the hash is run over the plaintext password).

To simplify, it might have a base number of iterations (100,000), and then if the password has only alphanumerics, add 50k iterations. If it has no special character, add 25k iterations. If it is under 10 characters, add 50k iterations, etc.

So a password like password would have 225k iterations, whereas a password like pass#4jkla9jklj would have 100k iterations.

Is this something FusionAuth can handle?

dan

Yes. There are two ways to accomplish this.

If you know the factor ahead of time (it is recorded in a database), then you can set it on import. Use the Import Users API. (You can also use the Create User API if you are creating one user at a time.) With the Import User API, set the factor for each user; they don't have to be the same across all users.

If you don't know the factor ahead of time, you need to create a plugin. Here's a sample plugin.

In the encrypt method, which has this signature: public String encrypt(String password, String salt, int factor), you can ignore the provided factor and use the algorithm you mention to calculate it. You are passed the plaintext password and can examine it for length, characters, etc.

Test and install the custom password hashing plugin into your FusionAuth instance as documented. (If you are running in FusionAuth Cloud, you'll need to open a support ticket with the jar file.)

When importing the user, the factor won't matter, but make sure to set the encryptionScheme to your custom password hashing plugin.

After importing, configure your tenant to rehash users' passwords on login to a more standard factor and hashing scheme. Learn more about that here.