ABAP password hash algorithms: CLEANUP_PASSWORD_HASH_VALUES
About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).
Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).
What I did
First I had a look at table USR02, in client 001:
For testing purposes, I disabled the password for the last user ID in the list:
Then I executed report CLEANUP_PASSWORD_HASH_VALUES:
USR02 after report’s execution:
After setting an initial password for the third user (bottom to top of the list):
And after the password was changed by the user:
My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.
The report is very useful, making your system more secure – note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).
After executing the report, you can find at least 3 “categories” in USR02:
- Password disabled users, with the following entries:
BCODE = 0000000000000000
CODVN = X
PASSCODE = 0000000000000000000000000000000000000000
PWDSALTEDHASH = blank
- Users with PWDSALTEDHASH filled:
BCODE and PASSCODE as above
- Users with PASSCODE filled:
BCODE as above, PWDSALTEDHASH blank and CODVN = F.
For the last case, the code version F means:
suboptimal, records with 7.00/7.01 hash value found
so a hash password is already in place.
It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.
In case the “strongest” password hash of some users are passcode then this is because of the time when they were entered the system created those.
If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.
There is no automated change for this, as the password is unknown.
SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect
SAP note 2467 – Password rules and preventing incorrect logons
SAP note 495911 – Logon problem trace analysis
SAP note 862989 – New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
SAP note 1023437 – ABAP syst: Downwardly incompatible passwords (since NW2004s)
SAP note 1237762 – ABAP systems: Protection against password hash attacks
SAP note 1458262 – ABAP: recommended settings for password hash algorithms
Good Advise, thank you for sharing, i want to ask is there any Impact on existing passwords or Single Sign On?
Please read note 1458262. This doesn't represent a problem for SSO, neither to existing passwords.
I ran the report on my 7.40 system based on HANA but it recommend to change the CODVN value from F to H. Is there another version of this program that can work correctly for 7.40?
What exactly went wrong with the current report?
Thanks for the quick reply. Nothing went wrong with the report. We are looking to update the CODVN flag from F (existing on USR01) to H. Running this report identified that they are sub-optimal but not critical.
Was wondering if there is a way (or this report aside) that can identify the 'F' and present a way to convert to 'H'.
Only changing the password should work. You can test with a case where "F" is being used. There is no automated tool to have this accomplished, as passwords are not known. 🙂
Understood. We are trying to get this done in a non-messy way with the RFC users.