Importing Users Without Password Resets

Identity migration guides always say the same thing. They say users must reset their passwords. This is not a rule. It is a choice. Most tools choose the easy path instead of the right one.

You can migrate users without a reset. You just need to verify existing password hashes. If you have the old hashes and your new system can read them, the move stays invisible.

A password hash is not a secret. Bcrypt is bcrypt. It carries its own salt and cost factor. Any system using bcrypt can verify it. PBKDF2 works the same way. If you have the hash, you can check a password against it without knowing the actual password.

Use lazy migration to save time.

  • Carry the old hash to the new system.
  • Verify the hash when the user logs in.
  • Replace it with a new format immediately.

Over a few weeks, your database updates itself. You get zero password reset emails and zero support tickets.

Different sources provide different formats.

Self-hosted Duende or ASP.NET Identity: These use V3 PBKDF2 or bcrypt. The new system can verify and rehash these easily. This is a clean process.

Auth0: These use bcrypt. You can import them directly. However, you cannot get them through a standard API. Auth0 does not return hashes via API for security. You must request a bulk export file from their support. This file contains the bcrypt hashes. Use this file to keep the migration invisible.

If you cannot get the hashes, users must set a new password. This is an honest fallback. Do not let a tool force a reset on you if you can avoid it.

Forced resets cause problems:

  • They create high support loads.
  • They train users to trust phishing emails.
  • They turn a quiet change into a loud problem.

A good migration should feel like nothing happened. Ask if you can get the old hashes before you tell your users to reset their passwords.

Source: https://dev.to/authagonal/importing-users-without-a-password-reset-5h1j