SAP password hash strengthening

The SAP password hash can be deciphered. See for example this blog. By increasing the complexity of the hash, you can slow down this process.

Questions that will be answered in this blog are:

  • How can I strengthen my SAP password hash?
  • Does it also work when I use CUA?

Password hash algorithm strength

Main blog for SAP password hash algorithm is 1458262 – ABAP: recommended settings for password hash algorithms. Note 2140269 – ABAP password hash: supporting salt sizes up to 256 bits describes the actual parameter value.

In RZ11 you need to set parameter login/password_hash_algorithm to exactly this value: encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256.

Make sure you follow the correct syntax. The syntax is listed in OSS note 991968 - List of values for "login/password_hash_algorithm". If you don't do it properly, you might get the issue reported in OSS note 3043774 - Iterated salted hash is empty after having assigned or changed a password.

End result

Example for a test user. Before the setting the PWDSALTEDHASH field has this value:

After change of the parameter we reset the password of the user and the hash now looks like this:

Really more complex, hence more complex to decipher: the hashes are far stronger now. It can still be cracked, but it takes far more time on either single password or large group of passwords.

The parameter only effects new passwords. Not the existing ones.

CUA

If you use CUA, the password can be distributed from CUA. If you CUA system and connected systems are modern enough there is no issue at all. See the CUA section of OSS note 1458262 – ABAP: recommended settings for password hash algorithms.