Password mismatching after upgrade

I’m facing an issue after upgrading Keycloak from version 18 to 26.

After the upgrade, users are unable to log in and receive “Invalid user credentials”.

Here is what I observed:
• Existing users in the database have passwords hashed with PBKDF2-SHA256.
• After upgrading to Keycloak 26, newly reset passwords are stored using Argon2.
• When I reset a user’s password, login works correctly.
• However, migrated users with PBKDF2 hashes cannot log in.

It seems like during authentication Keycloak is trying to verify the old PBKDF2 hashes using Argon2 instead of the original algorithm.

I cannot reset passwords for all users because there are many of them.

My questions:

1. Should Keycloak 26 automatically support verifying existing PBKDF2 hashes after upgrade?
2. Do I need to explicitly enable PBKDF2 as a password policy in the new version?
3. Is there any recommended migration strategy for password hash algorithms when upgrading to Argon2?

I would really appreciate any guidance on how to properly handle this migration without forcing all users to reset their passwords.

yes – I believe so w.r.t password policy - https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/26.0/html/server_administration_guide/configuring-authentication_server_administration_guide#password-policies

Yes. It should and it does, if the migrated data is correct.

No, setting a hash algorithm in the password policy is only for creating the hash of a new/changed password, not responsible to compare existing passwords.

No, just export the users with their credential data properly (secretDataAND credentialData) from your old system and import the data to your new system. Worked in all of the environments I migrated for various customers.