• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

How do I handle users without passwords during import

Scheduled Pinned Locked Moved
Q&A
2
6
17.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    robotdan
    last edited by 19 Jun 2020, 22:49

    Asking for a friend. 🙂

    About half of our users don't have passwords set as they are authenticated via third party ID providers such as Google. While importing users from an existing system, I'm not setting anything for password and salt fields, which is causing the import to throw You must specify the [user.password] property for each user. error (using the FA's .net client). What would I set for password and salt in this case? Thank you!

    1 Reply Last reply Reply Quote 0
    • R
      robotdan
      last edited by 19 Jun 2020, 22:56

      You'll want to set the password to something random. You will not need to set the salt, it will be generated for you during import when providing a plain text password.

      Here is a Java example to generate a strong random password.

      public static String secureRandom(int bytes) {
  SecureRandom random = new SecureRandom();
  byte[] buf = new byte[bytes];
  random.nextBytes(buf);
  return Base64.getUrlEncoder().withoutPadding().encodeToString(buf);
}

String randomPassword = secureRandom(32);

      32 bytes is generally considered adequate. A Base64 encoded character has 62 possible values, and an entropy per character of 5.954 bits. A 16 byte token provides approximately 131 bits of entropy (22 characters * 5.954). A 32 byte token provides approximately 256 bits of entropy (43 characters * 5.954).

      As a side note, during the Import, if you provide a password directly, i.e. not a hash - then FusionAuth will hash the password inline before it stores the value. If you have a lot of users, this will significantly slow the import process.

      1 Reply Last reply Reply Quote 0
      • A
        ashok
        last edited by 19 Jun 2020, 23:03

        Out of curiosity, "then FusionAuth will hash the password inline before it stores the value". What determines a non-hashed password? The absence of salt?

        1 Reply Last reply Reply Quote 0
        • R
          robotdan
          last edited by 19 Jun 2020, 23:10

          If you omit the encryptionScheme property on the user, FusionAuth will assume you are importing a plain text password.

          https://fusionauth.io/docs/v1/tech/apis/users#import-users

          If you were importing a hashed password, you'd have the encryptionScheme, factor, salt, and password (in hash form).

          1 Reply Last reply Reply Quote 0
          • A
            ashok
            last edited by 19 Jun 2020, 23:25

            Ahh! So leave out encryptionScheme, factor, and salt and set password to a 32 bytes random password. Makes sense. Thank you!

            1 Reply Last reply Reply Quote 1
            • R
              robotdan
              last edited by 20 Jun 2020, 00:03

              @ashok you got it!

              1 Reply Last reply Reply Quote 0
              • M mark.robustelli referenced this topic on 15 Mar 2024, 14:49
              1 out of 6
              • First post
                1/6
                Last post