in this article, I'd like to summarize what I found out about SAP's password storage mechanism (for SU01 users, not the SecStore).
The passwords of all users are stored in table USR02 as one (or more) cryptographic hash value(s).
Table USH02 and some others contain the password history (see SAP Note 1484692). This history used to be limited to the last 5 entries per user before NW 7.0; meanwhile the number of entries is customizable via the profile parameter login/password_history_size (see SAP Note 862989).
The hash algorithm has changed several times over time – either due to weaknesses or as a result of the increase in computing performance (see "CODVN H" below).
Per definition, the result of a cryptographic hash function is/should be irreversible, i.e. one cannot/shouldn't be able to retrieve the plain text password from the hash value… but that's the point where the fun starts! 😎
SAP Note 1237762 gives a good overview of hash attacks and has some rather helpful tips on how to prevent them!
The password cracking tool John the Ripper (with the "Jumbo" patch) supports two of SAP's common hash algorithms (CODVN B & F/G). Give it a try, if you're serious about the security of your passwords!
This table summarizes the details of all currently available password hash algorithms (as per Q4/2012):
|Max. Passw. Length||Pw.|
|Charset||Salt||Notes||SAP Note||Hash in|
|Character 1-6 of the username|
|Unsupported characters (probably the same as with CODVN B) in the password and salt are replaced by an apostrophe (»'«).|
Superseded by code version B (automatic migration during logon).
|Unsupported characters (see note) in the password and salt are replaced by »^«||735356||BCODE|
|Superseded by code version E|
(but almost identical)
|Correction of code version D||874738||BCODE|
|G||= Code versions B & F||BCODE &|
(curr. only iSSHA-1)
|40||sensitive||UTF-8||random||Hash algorithm and options can be set via parameter login/password_hash_algorithm||991968||PWDSALTEDHASH|
|I||= Code versions B, F & H||BCODE,|
The MD5- and SHA1-based algorithms consist of two hash iterations with "some Walld0rf magic" in between — for details, have a look at this posting in the john-users mailing list.
Kernel & profile parameters
The following has an impact on the used hash algorithm:
- the SAP kernel version
- the profile parameters:
- login/password_downwards_compatibility — if available
The following tables show the effect of the above on the hash algorithm on some test-systems:
Sources & further reading
Here's where the information in the above "Hash algorithms" table came from – plus additional resources:
- SAP Note 2467: Password rules and preventing incorrect logons
- SAP Note 721119: Logon with (delivered) default user fails
- SAP Note 735356: Special character in passwords; reactivation not possible
- SAP Note 862989: New password rules as of SAP NetWeaver 2004s
- SAP Note 874738: New password hash calculation procedure (code version E)
- SAP Note 991968: Value list for login/password_hash_algorithm
- SAP Note 1023437: Downwardly incompatible passwords since NW2004s
- SAP Note 1237762: Protection against password hash attacks
- SAP Note 1300104: CUA - New password hash procedures - Background information
- SAP Note 1458262: Recommended settings for password hash algorithms
- SAP Note 1484692: Protect read access to password hash value tables
- SAP Note 1488159: SUIM - RSUSR003 - Incorrect results for CODVN = F
- Openwall Wiki: Excerpts from john-users mailing list ← search for "SAP"
- Paper: "Perfect Storm - The Brave New World of SAP Security"
- Paper: "SAP Passwort Sicherheit" (2004) – German
- Onapsis has 2 great articles:
Happy reading — this is really helpful stuff! 😛