[keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?

Lukasz Lech l.lech at ringler.ch
Wed Mar 27 12:23:51 EDT 2019 

I wonder how do you want to attempt 2 or 3?

I've seen code examples for 2, but they ended up in creating link between keycloak account and old system database, except of fully replacing old (linked) account with new one.

How it would be possible 3 without attempt to break existing passwords? 

However, our case was specific because we've got existing legacy solution with hashing algorithm not supported by keycloak. We've ended up with 1. An attempt to implement 2 has failed.

Best regards,
Lukasz Lech


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Aaron Harnly
Sent: Mittwoch, 27. März 2019 16:57
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Password hash migration: what authority says "rehash the hash" is a good strategy?

We are migrating an older system with a deprecated password hashing strategy that we want to bring up to modern standard.

There are a range of options for the migration, including:

1. Reset all user passwords (not ideal!) 2. Rehash after successful login (works, but leaves older hashes in storage until the long tail of users have all logged in) 3. "Rehash the hashes", ie bulk replace the 'oldhash' values with newhash(oldhash), with a custom verifier that does the double hash; then do #2 on login.

I'd like input on strategy #3 – ie is there advice from authoritative sources confirming that this is a secure strategy? It seems fine to my layperson's eyeballs, and is surely better than leaving old hash values in storage for a long time. But I'd like reassurance on it, and can't find anything other than stray Stack Overflow responses[1, 2] or blog posts[3] discussing it.

[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes

Any suggestions for an authoritative source on this?
cheers
-Aaron

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list