![]() Unsupported characters (probably the same as with CODVN B) in the password and salt are replaced by an apostrophe (»'«). ![]() This table summarizes the details of all currently available password hash algorithms (as per Q4/2012): USR02. Give it a try, if you’re serious about the security of your passwords! Hash algorithms The password cracking tool John the Ripper (with the “Jumbo” patch) supports two of SAP’s common hash algorithms (CODVN B & F/G). SAP Note 1237762 gives a good overview of hash attacks and has some rather helpful tips on how to prevent them! one cannot/shouldn’t be able to retrieve the plain text password from the hash value… but that’s the point where the fun starts! □ Per definition, the result of a cryptographic hash function is/should be irreversible, i.e. The hash algorithm has changed several times over time – either due to weaknesses or as a result of the increase in computing performance (see “CODVN H” below). This history used to be limited to the last 5 entries per user before NW 7.0 meanwhile, the number of entries is customizable via the profile parameter login/password_history_size (see SAP Note 862989). Table USH02 and some others contain the password history (see SAP Note 1484692). The passwords of all users are stored in table USR02 as one (or more) cryptographic hash value(s). In this article, I’ll summarize, what I found out about SAP’s password storage mechanism (for SU01 users, not the SecStore).
0 Comments
Leave a Reply. |