Import users with custom SHA1 password/salt template?

mwpllpz · March 3, 2020, 5:58am

In the course of migrating a user database with a 2000s-era hand-rolled SHA1 hash template, I found there are fixed characters appended to every password/salt combination before hashing. If it wasn’t for the final two characters I’d have the API up and running and the user database already migrated.

sha1("--[salt]--[password]--")
(3 sets of two dashes)

I’ve followed the user import guidance here and here. I figure I could set the Okta salt to “–[my_old_salt]–” and specify saltOrder:PREFIX. But those final two dashes…

Is there a way to specify a custom template via the API (more flexible than pre/post-fix)? Could someone at Okta hard-code a couple dashes for me?

Help? I’m trying to avoid the JIT option. Thanks!

"password" : {
  "hash": {
    "algorithm": "SHA-1",
    "salt": "UEO3wsAsgzQ=",
    "saltOrder": "POSTFIX",
    "value": "xjrauE6J6kbjcvMjWSSc+PsBBls="
  }
}

chu123 · March 4, 2020, 1:41pm

What values do you have? sha1() values or sha1() value, and salt, and password value?

Honestly, I would try cracking the passwords and see what success rate you get…then you could just create your own bcrypt() values and use the API to send the hash that way.

mwpllpz · March 4, 2020, 4:47pm

Thanks. I appreciate the suggestion, and it might be an option if it was an older hash method or a smaller database.

chu123 · March 4, 2020, 5:58pm

If you are using the sign-in widget, perhaps have a look at processCreds ?? (see: https://github.com/okta/okta-signin-widget)

You could use this to add “--” to the user-supplied password at time of login.

mwpllpz · March 4, 2020, 6:53pm

Very interesting. Hadn’t thought of that, basically change the Okta-side login.

Since we’re keeping the old site up for a while and I have access to the code I figured I’d do the reverse and create an Okta user (with their plaintext pw) every time someone logs into the old site. It won’t catch everyone right away like this idea would. At least their password will be stored in a modern way. Again, thanks!

chu123 · March 4, 2020, 7:31pm

Yeah - if you have some time, you can totally “redo” the pwd storage. Good luck!

wdawson · March 6, 2020, 11:48pm

@mwpllpz @chu123 instead of the processCreds option, you can also leverage this brand new, shiny Inline Hook we just shipped: https://developer.okta.com/docs/reference/password-hook

It lets you create users in a special way and then the first time they authenticate, Okta will call out via a hook to some code that can validate the password. If everything checks out, Okta will migrate the password to a native login.

system · January 23, 2024, 10:49pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Importing users with hashed passwords into OKTA Questions	3	5978	February 12, 2024
Migrating users from Drupal 7 to Okta Questions	3	3732	February 6, 2024
Migrating Password Hash - UTF-16 Questions	7	4820	February 6, 2024
PBKDF2 - import users API	2	1304	March 14, 2024
Create User with Imported Hashed Password-- Possible to use sha-256 encoded bcrypt? Questions	1	4093	January 24, 2024

Import users with custom SHA1 password/salt template?

Related topics