Passwords are a familiar way to verify the identity of users and systems. Passwords are simpler and cheaper than other, more secure forms of authentication like smart cards or biometric scanners. They provide a simple, direct means of protecting a system or an account. However, there are also known weaknesses. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized access to a system or an account. Many passwords are not random but trivial to guess. A more technical way of cracking passwords is through network sniffers, which look at the raw data transmitted across the network and decipher its contents, including passwords. Furthermore, attackers can try to crack passwords offline when they can access the hashed password string during transmission or in an insecure password store.
The password-based approach of authentication can be used to protect applications when the following advice is taken into consideration.
The overall process of password-based identification and authentication is as follows. First, the application asks for the user identification, usually the user's account name. Then the password is read and a hash-value of the password is calculated. Often a salt, that is a random string of data, is added in order to prevent an attacker from testing known dictionary words. Some password components also wipe the memory in which the password was stored. Finally, the system checks whether the hashed user input and the stored hash value of the password match. If they do, the user is successfully authenticated.
The SAP NetWeaver platform provides an authentication mechanism of the type described above. We recommend that, in general, you use the existing password authentication mechanism provided by the SAP NetWeaver platform instead of implementing one of your own.
The issues described above necessitate that you handle user IDs and passwords carefully. The following recommendations may help to prevent an unauthorized person gaining access to your system:
The SAP NetWeaver platform uses secure hash values to store passwords.
Use HTTP POST requests instead. In general, you should avoid transmitting passwords, in particular with every request you send. Use secure mechanisms instead, such as digital certificates for example.
Checklist - Secure Programming in the section Password Security
www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/4ab8b3bb-0601-0010-7b82-e392df20392a
This document is also included in the SAP NetWeaver Developer's Guide on the SAP Developer Network at www.sdn.sap.com/irj/sdn/devguide2004s in the section Fundamentals → Making Applications Enterprise Ready → Secure Programming.