Password Security

Passwords are a familiar way to verify the identity of users and systems. Passwords are simpler and cheaper than other, more secure forms of authentication like smart cards or biometric scanners. They provide a simple, direct means of protecting a system or an account. However, there are also known weaknesses. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized access to a system or an account. Many passwords are not random but trivial to guess. A more technical way of cracking passwords is through network sniffers, which look at the raw data transmitted across the network and decipher its contents, including passwords. Furthermore, attackers can try to crack passwords offline when they can access the hashed password string during transmission or in an insecure password store.

The overall process of password-based identification and authentication is as follows. First, the application asks for the user identification, usually the user's account name. Then the password is read and a hash-value of the password is calculated. Often a salt, that is a random string of data, is added in order to prevent an attacker from testing known dictionary words. Some password components also wipe the memory in which the password was stored. Finally, the system checks whether the hashed user input and the stored hash value of the password match. If they do, the user is successfully authenticated.

SAP NetWeaver Application Server (SAP NetWeaver AS) provides authentication mechanism of the type described above. We recommend that, in general, you use the existing password authentication mechanism provided by SAP NetWeaver AS instead of implementing one of your own.

The issues described above necessitate that you handle user IDs and passwords carefully. The following recommendations may help to prevent an unauthorized person gaining access to your system:

• Are passwords displayed in plain text?

  Do not display passwords in plain text, use asterisks instead

• Are passwords saved or transmitted in plain text?

  • Passwords transmitted in plain text can be intercepted, rendering the user ID and password method of identification insecure. It is better to transmit passwords using the Secure Network Communications (SNC) protocol.

  • Do not save passwords in plain text.

  • Avoid the administrator gaining access to the password. Use secure hash functions to prevent password recovery.

    Note

    SAP NetWeaver AS uses secure hash values to store passwords.

  • Do not invent your own coding to encrypt the original password.

• Are passwords hard-coded in the source code?

  • Use a technology such as one-time passwords.

  • Apply a changeable password in a central function, such as Configuration of RFC Connections (transaction SM59).

  • Do not invent your own encryption algorithm.

• Are passwords recorded in log, protocol, or trace files?

  • Do not useHTTP GET requests since all parameters can be found in the URL.

    UseHTTP POST requests instead. In general, you should avoid transmitting passwords, in particular with every request you send. Use secure mechanisms, such as digital certificates, instead.

  • Take into account that the web server logs all the URLs.

  • Passwords may also be displayed in readable form when tracing, depending on the trace settings.

• Are passwords in plain text overwritten in memory once they are no longer used?

  Do overwrite passwords in memory, otherwise they might still exist in memory even after completion of the application and could thus be read by a malicious application.

• Are the user ID and password preconfigured or callable through a pull-down menu at the start of the application?

  It is better to avoid using any pull-down menus for the user ID/password entry. This is particularly important for the password.

• Can all passwords, IDs and user names be changed?

  Non-changeable IDs and passwords often form the starting point for attacks on an application's security.