Show TOC

Password HashLocate this document in the navigation structure

SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP does not store any plaintext passwords, but rather only password hash values.

However, without the use of encryption technologies such as Secure Sockets Layer or Secure Network Communication, the system transfers the passwords in plaintext. The system stores logon data for external systems that is entered in destinations (with transaction SM59) in an encrypted format in the secure storage.

To increase the security of the password hash values, as of SAP NetWeaver AS 6.40, the system uses the password hash algorithm SHA1 instead of the MD5 algorithm. This means that the system can generate hash values that are more secure, but which are not backward-compatible, and which make reverse engineering attacks more difficult. To nevertheless be able to use backward compatible passwords, the system now generates two hash values by default: a backward compatible hash value and a new one. Use profile parameter login/password_downwards_compatibility to set the degree of backward compatibility, depending on your security requirements. You can set, for example, that the system only generates the new, non-backward-compatible hash values. This affects the following elements.

  • Communication frameworks (RFC, ICF) that transfer or store the passwords

  • Central User Administration (CUA), which distributes the password hash values

    If you use non-backward-compatible passwords, older systems can no longer call newer systems. This also means, as a matter of principle, that older and newer systems cannot use the same CUA.

    For more information, see 792850 Information published on SAP site).

In principle, new hash functions do not have an impact after an upgrade. The operation of the system and the password queries continue to run as before. The passwords of the new type gradually replace the passwords of the old type.

The system can determine at any time whether the current user password is of the new hash type or the old hash type. This information is stored in the user master record. During logon, the system calculates the password hash from the entered data and takes into account the information from the user master record. The system uses the details in the user master record to determine which part of the entered password it evaluates:

  • With passwords encrypted using the old password hash algorithm, the system evaluates only the first 8 characters, and converts these to uppercase.

  • With passwords encrypted using the new password hash algorithm, the system evaluates up to 40 characters, as the user entered them, that is, without converting them to uppercase.

To further increase the security of your system landscape, the system incorporates the following values in the representation of the password hash information:

  • The password hash value

  • The algorithm

  • A random value (salt)

This means that the storage is independent of the hash algorithm used and will also support completely new algorithms in the future. In addition to the existing hash algorithms, which work with a deterministic salt, the current release also provides new hash algorithms for user passwords, which use a randomly generated salt when calculating the password hash value. The hash value calculation can be performed a number of times, successively (that is, iterated), to make dictionary and brute force attacks more difficult. You can administer this password function using the profile parameter login/password_hash_algorithm.