ABAP password hash algorithms: CLEANUP_PASSWORD_HASH_VALUES

About a month ago, I was questioned about password hash algorithms, as the questioner attended to the SEC105 TechEd session (SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect).

Before answering I decided to go through SAP note 1458262 (ABAP: recommended settings for password hash algorithms).

What I did

First I had a look at table USR02, in client 001:

For testing purposes, I disabled the password for the last user ID in the list:

Then I executed report CLEANUP_PASSWORD_HASH_VALUES:

USR02 after report's execution:

After setting an initial password for the third user (bottom to top of the list):

And after the password was changed by the user:

Conclusions

My experiment was conducted in a standalone ABAP system. For systems that are part of a CUA, additional steps are required.

The report is very useful, making your system more secure - note that the report recommends an action: enforce the usage of stronger passwords. This will lead to password changes (a SM50 logon trace, per SAP note 495911, will show what happens behind the scenes).

After executing the report, you can find at least 3 "categories" in USR02:

• Password disabled users, with the following entries:

BCODE = 0000000000000000

CODVN = X

PASSCODE = 0000000000000000000000000000000000000000

PWDSALTEDHASH = blank

• Users with PWDSALTEDHASH filled:

BCODE and PASSCODE as above

• Users with PASSCODE filled:

BCODE as above, PWDSALTEDHASH blank and CODVN = F.

For the last case, the code version F means:

suboptimal, records with 7.00/7.01 hash value found

so a hash password is already in place.

It is important to realize that the report solely delete existing (duplicate weaker) hashes but cannot create new ones, for this the report would have to know the passwords.

In case the "strongest" password hash of some users are passcode then this is because of the time when they were entered the system created those.

If you would like to have only pwdsaltedhash passwords, then the system administrator would have to provide new passwords for all users with codvn=F.

There is no automated change for this, as the password is unknown.

References

SEC105 – SAP Runs SAP: How to Hack 95% of all SAP ABAP Systems and How to Protect

SAP note 2467 - Password rules and preventing incorrect logons

SAP note 495911 - Logon problem trace analysis

SAP note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)

SAP note 1023437 - ABAP syst: Downwardly incompatible passwords (since NW2004s)

SAP note 1237762 - ABAP systems: Protection against password hash attacks

SAP note 1458262 - ABAP: recommended settings for password hash algorithms