Skip to Content
Author's profile photo Cristiano Hansen

ABAP password hash algorithms: CLEANUP_PASSWORD_HASH_VALUES

About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).

Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).

What I did

First I had a look at table USR02, in client 001:

/wp-content/uploads/2015/10/001_817017.jpg

For testing purposes, I disabled the password for the last user ID in the list:

/wp-content/uploads/2015/10/002_817018.jpg

Then I executed report CLEANUP_PASSWORD_HASH_VALUES:

/wp-content/uploads/2015/10/003_817049.jpg

USR02 after report’s execution:

/wp-content/uploads/2015/10/004_817050.jpg

After setting an initial password for the third user (bottom to top of the list):

/wp-content/uploads/2015/10/005_817051.jpg

And after the password was changed by the user:

/wp-content/uploads/2015/10/006_817052.jpg


Conclusions

My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.

The report is very useful, making your system more secure – note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).

After executing the report, you can find at least 3 “categories” in USR02:

  • Password disabled users, with the following entries:

BCODE = 0000000000000000

CODVN = X

PASSCODE = 0000000000000000000000000000000000000000

PWDSALTEDHASH = blank


  • Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above

  • Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.

For the last case, the code version F means:

suboptimal, records with 7.00/7.01 hash value found

so a hash password is already in place.

It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.

In case the “strongest” password hash of some users are passcode then this is because of the time when they were entered the system created those.

If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.

There is no automated change for this, as the password is unknown.

References


SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 – Password rules and preventing incorrect logons

SAP note 495911 – Logon problem trace analysis

SAP note 862989 – New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 – ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 – ABAP systems: Protection against password hash attacks

SAP note 1458262 – ABAP: recommended settings for password hash algorithms

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Good Advise, thank you for sharing, i want to ask is there any Impact on existing passwords or Single Sign On?

      Thank You

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Picho,

      Please read note 1458262. This doesn't represent a problem for SSO, neither to existing passwords.

      Cheers,

      Cris

      Author's profile photo Venu Katamneni
      Venu Katamneni

      I ran the report on my 7.40 system based on HANA but it recommend to change the CODVN value from F to H. Is there another version of this program that can work correctly for 7.40?

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Venu,

      What exactly went wrong with the current report?

      Thanks,

      Cris

      Author's profile photo Venu Katamneni
      Venu Katamneni

      Hi Cristiano,

      Thanks for the quick reply. Nothing went wrong with the report. We are looking to update the CODVN flag from F (existing on USR01) to H. Running this report identified that they are sub-optimal but not critical.

      Was wondering if there is a way (or this report aside) that can identify the 'F' and present a way to convert to 'H'.

      Author's profile photo Cristiano Hansen
      Cristiano Hansen
      Blog Post Author

      Hi Venu,

      Only changing the password should work. You can test with a case where "F" is being used. There is no automated tool to have this accomplished, as passwords are not known. 🙂

      Cheers,

      Cris

      Author's profile photo Venu Katamneni
      Venu Katamneni

      Understood. We are trying to get this done in a non-messy way with the RFC users.