You have two main options to import users’ passwords into Ory: 1) Import hashed or clear-text passwords - If you have hashes in a supported format (e.g., BCrypt, Argon2, PBKDF2, etc.), include them as credentials.password.config.hashed_password when creating or importing identities. This preserves existing passwords so users can log in normally after import. [[Hashed passwords](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#hashed-passwords); [Create identity API](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity)] - If you only have clear-text passwords, include credentials.password.config.password and Ory will hash them during import (slower for large batches). [[Importing credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#importing-credentials); [Bulk import](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#bulk-import-identities-from-other-providers)] 2) Use the password migration hook (no hashes available or unsupported format) - Import identities with an empty hashed_password and set use_password_migration_hook: true. On the user’s first login, Ory calls your webhook with the identifier and entered password; if your legacy system confirms a match, Ory stores the new hash and completes login. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] Will users be triggered into an Ory login browser flow? - Yes. After import, users authenticate through Ory’s login flow (UI or API). If you imported valid password hashes (or clear-text to be hashed), they can sign in immediately with the same credentials. If using the migration hook, their first login via the Ory flow will trigger the webhook to migrate the password seamlessly. [[Import identities](https://www.ory.sh/docs/migrate-to-ory#get-user-data-and-credentials); [Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] Notes: - For PBKDF2 imports, ensure the PHC-style format is correct; base64 padding nuances can matter (some users reported needing to trim “==” when composing the string). [[Issue 301](https://github.com/ory/network/issues/301)] - For bulk imports, use batchPatchIdentities and mind batch limits/timeouts. [[Bulk import](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#bulk-import-identities-from-other-providers); [Migrate to Ory](https://www.ory.sh/docs/migrate-to-ory#import-identities)]

Yes. When using the password migration hook (no/unsupported hashes), users must authenticate through Ory’s login flow. On their first login via the browser (or API) flow, Ory calls your migration webhook with the identifier and entered password; if it matches, Ory stores the new hash and completes the login. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] If you import supported password hashes upfront, users can log in immediately through the standard Ory login flow without invoking the migration hook. [[Get user data](https://www.ory.sh/docs/migrate-to-ory#get-user-data-and-credentials)]

Sorry @enough-vase-33352, I am experiencing especially high traffic right now, please try again. 🧑‍💻

Yes. For the password migration hook to run, the user must already exist as an identity in Ory with password credentials configured for migration (empty hash and use_password_migration_hook: true). You bulk-import these identities first, then their first Ory login triggers the webhook to verify and store the hash. [[Password migration](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook); [Bulk import](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#bulk-import-identities-from-other-providers)]]

Short answer: not in a single step. - With the password migration hook, the identity must exist first (imported with an empty hash and use_password_migration_hook: true). Then, during the user’s first Ory login, Kratos captures the entered password via your webhook, verifies it against the legacy IDP, and stores a new hash. [[Password migration](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] - If you already have the password (clear text or supported hash), you can create the identity and import the credentials in that same API call (or batch), so the user is created “at the same time” as providing the password—but that’s an admin import action, not capturing it during a login screen. [[Importing credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#importing-credentials); [Create identity API](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity)] If your goal is “user enters password once, and we create them on the fly,” Kratos does not document a built-in flow that both creates a brand-new identity and captures the password in the same end-user login attempt. The documented path is: pre-create/import identity, then migrate on first login. [[Password migration](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)]

Short answer: you don’t have to disable it globally, but you should stop running the password migration hook for identities that no longer need it. Recommended approach: - Import identities for migration with use_password_migration_hook: true and an empty hashed_password. After a successful first login, Ory stores a proper hash and will not call the migration hook again for that identity. No per-user change needed. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] - Once all (or most) users are migrated, you can disable the migrate_hook in the password method config to avoid unnecessary webhook calls for newly created users who already have proper passwords set at creation time. This is an operational choice; the docs don’t mandate it, but it’s safe after migration is complete. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)] If you continue creating new users with normal password credentials (hashed_password or password set), they won’t trigger the migration hook anyway, as it only runs for identities marked with use_password_migration_hook: true. [[Password migration hook](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#password-migration-using-a-web-hook)]