Transform user passwords

The whole idea behind the data migration process is to smooth the transition from your legacy system to the ​Akamai​ Identity Cloud: if all goes well, users will travel to your website (or use your app), log on using their same email address and password, and never know that a change has been made. Like umpires and referees, Customer Identity and Access Management software is at its best when it simply does its job and no one ever notices it.

That’s why being able to migrate passwords is so vital. You don’t have to migrate passwords: if you want, you can migrate all your other user attributes and simply ignore the passwords. If you go that route, your users will still have valid accounts; however, every one of those users will have to create a new password before they can log on. Whether or not you want to impose that requirement on your users is a decision you’ll have to make for yourself.


And yes, that’s a decision that could be worth making. For example, suppose your legacy system had no password restrictions, but you’d like to enforce specific password restrictions (for example, minimum 7 characters, at least 1 uppercase letter and 1 number) on your new, ​Akamai​-powered site. By not migrating passwords you’ll force every user to not only change their password, but to change it to a password that meets the new restrictions.

The ​Akamai​ Identity Cloud currently supports the following password hashing algorithms:

  • bcrypt (password-bcrypt)
  • Standard Unix SHA256 Crypt (password-crypt-sha256)
  • Standard Unix SHA512 Crypt (password-crypt-sha512)
  • Standard Unix DES Crypt (password-crypt-des)
  • PBKDF2 (password-pbkdf2-sha1, password-pbkdf2-sha256, password-pbkdf2-sha512)
  • phpass SHA512 Truncated 55 (password-phpass-sha512-truncated-55)
  • netFORUM Hashing Algorithm (password-netforum)
  • SHA-256 (password-sha-256)
  • SHA-512 (password-sha-512)

If your legacy system uses a different password format, contact your ​Akamai​ representative to determine available options in supporting your format. Note, however, that, for security reasons, the following password hashing algorithms will never be supported by the ​Akamai​ Identity Cloud:

  • Plaintext passwords
  • Encrypted passwords
  • Case-insensitive passwords
  • Shortened passwords
  • Passwords using non-cryptographic hashing functions
  • Microsoft NT/LM password hashes

The transform_password function takes a password definition input and returns an object that will be stored in the user record password attribute.  The following are a few examples of password definitions as they will look in your CSV file:

password-bcrypt"{""type"": ""password-bcrypt"", ""value"": ""$2a$04$ogMILkiHiSvtpZpoJmVg7OotiEOpl7rQIhSwafBEpPKRVLm/SNQdu""}"
password-crypt-sha256"{""type"": ""password-crypt-sha256"", ""value"": ""$5$rounds=110000$/ CRnuBcMP1R4LMbx$7lAfRVq2DNcQXyRFJbXKjkrWHt4VKjNLAfo0Gm0mQaD