Home / Companies / WorkOS / Blog / Post Details
Content Deep Dive

Password hash migration: Formats, salting, and silent rehashing

Blog post from WorkOS

Post Details
Company
Date Published
Author
Maria Paktiti
Word Count
1,446
Company Posts That Month
31
Language
English
Hacker News Points
-
Summary

Switching identity providers presents a significant challenge in migrating password hashes, as they are inherently one-way and cannot be decrypted or translated. This text explores the complexities of handling password hashes from various identity providers like Auth0, Firebase Auth, and Cognito, emphasizing the importance of the silent rehash pattern, which enables seamless upgrades to more secure algorithms without requiring users to reset their passwords. Each provider uses different hash formats and parameters, such as bcrypt, scrypt, PBKDF2, and Argon2, with unique encoding, salt strategies, and parameter configurations that must be carefully managed during migration. The silent rehash pattern involves importing existing hashes, verifying them on the user's next login, and then rehashing with a preferred modern algorithm like Argon2id, ensuring users remain unaffected by the migration. Additionally, the text suggests strategies for handling long-tail users who seldom log in, recommending a balance between maintaining legacy hashes and setting sunset policies to manage security and user engagement effectively. The overarching message is that successful password hash migration requires meticulous attention to both export and import processes, including understanding hash formats, carrying over essential parameters, and verifying salt strategies before executing the migration.

Trends Found in this Post

No tracked trend matches for this post yet.