feat: update docs for md5 hashing

Signed-off-by: Erol Keskin <[email protected]>
ory · Nov 21, 2022 · 7893cbb · 7893cbb
1 parent fb19b66
commit 7893cbb
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/docs/kratos/concepts/credentials/username-email-password.mdx b/docs/kratos/concepts/credentials/username-email-password.mdx
@@ -410,6 +410,76 @@ $firescrypt$ln=<mem_cost>,r=<rounds>,p=<parallelization>$<salt>$<hash>$<salt_sep
 $firescrypt$ln=14,r=8,p=1$sPtDhWcd1MfdAw==$xbSou7FOl6mChCyzpCPIQ7tku7nsQMTFtyOZSXXd7tjBa4NtimOx7v42Gv2SfzPQu1oxM2/k4SsbOu73wlKe1A==$Bw==$YE0dO4bwD4JnJafh6lZZfkp1MtKzuKAXQcDCJNJNyeCHairWHKENOkbh3dzwaCdizzOspwr/FITUVlnOAwPKyw==
 ```
 
+### MD5
+
+Ory Identities doesn't hash password by MD5 but can compare stored MD5 hashes and migrate to configured hasher
+(`hashers.algorithm`). MD5 hashes can be configured in two different ways. Format is dependent on whether the hash is salted or
+not.
+
+#### Plain Format (for hashes without salt)
+
+```
+$md5$<hash>
+```
+
+#### Parameters
+
+- `hash`(`string`): The computed hash by the MD5 algorithm encoded in base64.
+
+#### Example
+
+```
+$md5$CY9rzUYh03PK3k6DJie09g==
+```
+
+#### Salted Format (for hashes with salt)
+
+If the salting should be performed before computing the MD5 hash, this format should be used.
+
+```
+$md5$pf=<salting-format>$<salt>$<hash>
+```
+
+#### Parameters
+
+- `salting-format`(`string`): Format string specifies how salting should be performed. It should be encoded in base64. For more
+  details, take a look at the [section below](#salting-format-parameter).
+- `salt`(`string`): A sequence of bits, known as a cryptographic salt encoded in base64.
+- `hash`(`string`): The computed hash by the MD5 algorithm encoded in base64. This method operates on two different stages. First,
+  it generates an input string to be given to MD5 algorithm with `salting-format`, `salt` and the User's password, in the second
+  stage generated string in the previous one is passed to the MD5 algorithm as an input. For more details, take a look at the
+  [section below](#salting-format-parameter).
+
+#### Example
+
+```
+$md5$pf=e1NBTFR9e1BBU1NXT1JEfQ==$MTIz$q+RdKCgc+ipCAcm5ChQwlQ==
+```
+
+#### Salting Format Parameter
+
+In this method, before computing the hash with MD5 algorithm, an input string to be given to MD5 algorithm is generated first.
+This generation step is dependent on the `salting-format`, `salt` itself and the `User's password`. Parameters for the
+`salting-format` is follows:
+
+- `{SALT}`: Salt value from the previous section.
+- `{PASSWORD}`: User's password in clear text.
+
+#### Example
+
+Assuming that User's password is `ory123` and salt is `c2FsdDEyMw==`(_in clear text: salt123_). If you were to define salting
+format as follows
+
+```
+{SALT}--{PASSWORD}
+```
+
+resulting generated string to be given to MD5 as input would be:
+
+```
+salt123--ory123
+```
+
 ## Example
 
 Assuming your Identity Schema is as follows:

diff --git a/docs/kratos/manage-identities/25_import-user-accounts-identities.mdx b/docs/kratos/manage-identities/25_import-user-accounts-identities.mdx
@@ -195,6 +195,8 @@ Besides clear text passwords it is possible to import password hashes. Currently
 - Argon2 family (`Argon2id`, `Argon2i`, `Argon2d`), for example:
   `$argon2id$v=19$m=16,t=2,p=1$bVI1aE1SaTV6SGQ3bzdXdw$fnjCcZYmEPOUOjYXsT92Cg`
 - BCrypt, for example: `$2a$10$ZsCsoVQ3xfBG/K2z2XpBf.tm90GZmtOqtqWcB5.pYd5Eq8y7RlDyq`
+- MD5, for example: salted `$md5$pf=e1NBTFR9e1BBU1NXT1JEfQ==$MTIz$q+RdKCgc+ipCAcm5ChQwlQ==` and plain
+  `$md5$CY9rzUYh03PK3k6DJie09g==`
 
 Read [this document](../../kratos/concepts/credentials/username-email-password.mdx#hashed-password-format) to learn more.