Does Google Cloud Identity Platform support MD5 Crypt password hashes?

[Nick G]

Basically, what the title says. Does Google Cloud Identity Platform support MD5 Crypt password hashes?

I'm trying to import existing users into a new Google Cloud Identity Platform instance (following these steps: https://cloud.google.com/identity-platform/docs/migrating-users#pbkdf), and the user passwords are currently hashed using the MD5 Crypt hashing function in PHP (https://www.php.net/manual/en/function.crypt.php)

I've tried multiple different combinations of passwordSalt and different hash algorithms, but none of them let me authenticate with the user's password. I know the import process is working, because if I change the passwordHash to a regular MD5 password hash, I am able to authenticate with that user.

I made a Stack Overflow post about this as well, which includes code snippets and a little more information. That post can be found here: https://stackoverflow.com/questions/69743513/importing-php-crypt-md5-passwords-into-google-cloud-identity-platform/69747036#69747036

[Bruno (Cloud Platform Support)]

Hi Nick, 

From everything you have mentioned and based on the official documentation you linked (https://cloud.google.com/identity-platform/docs/migrating-users#pbkdf), it appears that MD5 Crypt password hashes are indeed not supported by GCIP at this time. However, It's still possible to transition users, although it won't be as easy as a direct import.

Option 1: Import users over immediately, but require them to perform a password reset on first login.

Option 2: Have a transition time where you collect and re-hash passwords

If the above options do not suit your use case, the best next step would be to open a feature request here https://issuetracker.google.com/issues/new?component=1120253&pli=1&template=1629969. The GCIP product team will triage the feasibility of integrating MD5 Crypt hashing and respond accordingly. 

P.S: Original post was not publicly visible. We have since taken measures to ensure that future posts will be visible to the public. OP, please post your follow up inquiries here. 

[Nick G]

For option 1 that you mentioned, how exactly would that process work? How would I import the users and have them login initially while forcing a password reset?

I was looking through the documentation, but didn't see anything about forcing password resets. I'm also unsure about the initial login process would work, if I'm unable to import their password. I suppose identity platform supports signin with an email link, and that's what you're suggesting we use for initial login?

Thanks for your help.