Show TOC

 Password SecurityLocate this document in the navigation structure

Description

Passwords are a familiar way to verify the identity of users and systems. Passwords are simpler and cheaper than other, more secure forms of authentication like smart cards or biometric scanners. They provide a simple, direct means of protecting a system or an account. However, there are also known weaknesses. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized access to a system or an account. Many passwords are not random but trivial to guess. A more technical way of cracking passwords is through network sniffers, which look at the raw data transmitted across the network and decipher its contents, including passwords. Furthermore, attackers can try to crack passwords offline when they can access the hashed password string during transmission or in an insecure password store.

The password-based approach of authentication can be used to protect applications when the following advice is taken into consideration.

What Do I Get from the SAP NetWeaver Platform?

The overall process of password-based identification and authentication is as follows. First, the application asks for the user identification, usually the user's account name. Then the password is read and a hash-value of the password is calculated. Often a salt, that is a random string of data, is added in order to prevent an attacker from testing known dictionary words. Some password components also wipe the memory in which the password was stored. Finally, the system checks whether the hashed user input and the stored hash value of the password match. If they do, the user is successfully authenticated.

The SAP NetWeaver platform provides an authentication mechanism of the type described above. We recommend that, in general, you use the existing password authentication mechanism provided by the SAP NetWeaver platform instead of implementing one of your own.

What Do I Need to Do?

The issues described above necessitate that you handle user IDs and passwords carefully. The following recommendations may help to prevent an unauthorized person gaining access to your system:

  1. Are passwords displayed in plaintext?
    • Do not display passwords in plaintext, use asterisks instead.
  2. Are passwords saved or transmitted in plaintext?
    • Passwords transmitted in plaintext can be intercepted, rendering the user ID and password method of identification insecure. It is better to transmit passwords using a secure communication protocol, such as the Secure Sockets Layer (SSL) protocol.
    • Do not save passwords in plaintext.
    • Avoid the administrator gaining access to the password. Use secure hash functions to prevent password recovery.
      Note

      The SAP NetWeaver platform uses secure hash values to store passwords.

    • Do not invent your own coding to encrypt the original password.
  3. Are passwords hard-coded in the source code?
    • Use a technology such as one-time passwords.
    • Use the Destination Service instead (for more information, see Secure Communication ).
    • Do not invent your own encryption algorithm.
  4. Are no passwords recorded in log/protocol/trace files?
    • Do not use HTTP GET requests since all parameters will be found in the URL.

      Use HTTP POST requests instead. In general, you should avoid transmitting passwords, in particular with every request you send. Use secure mechanisms instead, such as digital certificates for example.

    • Take into account that the Web Server logs all the URLs.
    • Passwords may also be displayed in readable form when tracing, depending on the trace settings.
  5. Are passwords in plaintext overwritten in memory once they are no longer used?
    • Do overwrite passwords in memory, otherwise they might still exist in memory even after completion of the application and could thus be read by a malicious application.
  6. Are the user ID and password preconfigured or callable through a pull-down menu at the start of the application?
    • It is better to avoid using any pull-down menus for the user ID/password entry. This is particularly important for the password.
  7. Can all passwords, IDs and user names be changed?
    • Non-changeable IDs and passwords often form the starting point for attacks on an application's security.
Further Information

Checklist - Secure Programming in the section Password Security

Note

www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/4ab8b3bb-0601-0010-7b82-e392df20392a

This document is also included in the SAP NetWeaver Developer's Guide on the SAP Developer Network at www.sdn.sap.com/irj/sdn/devguide2004s in the section Fundamentals → Making Applications Enterprise Ready → Secure Programming.