Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP password hash algorithms: CLEANUP_PASSWORD_HASH_VALUES

cris_hansen
Advisor
Advisor
‎10-24-2015 6:29 PM

About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).

Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).

What I did

First I had a look at table USR02, in client 001:

For testing purposes, I disabled the password for the last user ID in the list:

Then I executed report CLEANUP_PASSWORD_HASH_VALUES:

USR02 after report's execution:

After setting an initial password for the third user (bottom to top of the list):

And after the password was changed by the user:


Conclusions

My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.

The report is very useful, making your system more secure - note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).

After executing the report, you can find at least 3 "categories" in USR02:

  • Password disabled users, with the following entries:

BCODE = 0000000000000000

CODVN = X

PASSCODE = 0000000000000000000000000000000000000000

PWDSALTEDHASH = blank


  • Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above

  • Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.

For the last case, the code version F means:

suboptimal, records with 7.00/7.01 hash value found

so a hash password is already in place.

It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.

In case the "strongest" password hash of some users are passcode then this is because of the time when they were entered the system created those.

If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.

There is no automated change for this, as the password is unknown.

References


SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 - Password rules and preventing incorrect logons

SAP note 495911 - Logon problem trace analysis

SAP note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 - ABAP systems: Protection against password hash attacks

SAP note 1458262 - ABAP: recommended settings for password hash algorithms

7 Comments
Labels in this area
Popular Blog Posts