Hacker News new | ask | show | jobs
by dave_kinde 1155 days ago
It varies from provider-to-provider. With Auth0 you have to install a plugin from their marketplace to get an export. If you want the hashed passwords exported you have to email their support team and they pull it together for you - usually takes about 2 weeks.

Kinde has a self-serve export tool baked in as we believe it is important for people to be able to change provider freely and not have vendor lock-in. We also have a self-serve import tool for organizations and users including hashed passwords so there is no disruption to the end customer
1 comments
gtsteve 1155 days ago
That's really good and thanks for responding to the question. I think I could be tempted to try a service like this for a future project.

I'm guessing the password hash format is something like bcrypt2? Is there an API for that? The feature quite nicely mitigates a situation where prices are unreasonably raised, but to mitigate a rug-pull event such as a business failure, malicious action or serious technical failure I'd probably want to automate this.

If that sounds like I'm sort of paranoid, it's probably because I am. I do this with all my company's cloud data.

link
connorkinde 1154 days ago
Trust me when I say that we're paranoid about data too. Our security specialist was the second hire.

It was a huge issue with Auth0 recently when they were bought by Okta. We've spoken to customers who have had their prices increased 2-20x virtually overnight with no forewarning and they've been forced to go through a process with customer support in order to get access to their user base and move off.

I'll get someone from the team with a better understanding of the password hashing to get back to you on this but I believe it's bcrypt2.

As Dave mentioned we're trying to make it as easy as possible to get your users out. I'll chat to someone from the team about the automation, it's an interesting idea

link
dave_kinde 1154 days ago
That's right, bcrypt2 - we also upgrade imported users passwords to this more secure hashing algorithm if they were previously using something less secure like md5. This is all done transparently on their first login with no impact to the user flow.

The self-service export is UI driven at the moment, as exporting passwords requires approval from an additional owner/admin for security. We could definitely extend this to be initiated by API though

link