https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244942#M1985550 <P>Hello Roy,</P><P>this recommendation _might_ be based on the new "secure by default" installation option SAP offer when you install new systems. You might also check RZ11 entry for parameter </P><PRE><CODE>login/password_hash_algorithm</CODE></PRE><P>For instance, in an S/4 2020 system you will find the following new line (and a reference to SAP note "2140269 - ABAP password hash: supporting salt sizes up to 256 bits"):</P><PRE><CODE>Recommended Value = encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256<BR /></CODE></PRE> Fri, 08 Jan 2021 12:48:36 GMT Private_Member_5020 2021-01-08T12:48:36Z https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244941#M1985549 <P>Hello <SPAN class="mention-scrubbed">frank.buchholz</SPAN> </P> <P>I was wondering, when reading the updated SAP security baseline template (btw good to see that it is updated regularly), SAP advises to use the SHA-512 salt with 15.000 iterations (encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256). </P> <P>How did you determined that this number has to be 15000?</P> <P>OWASP says: 'at least 10000, but values to 100000 and up may be appropriate', where I advise my clients to use 200000 and up). </P> <P><A href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting" target="test_blank">https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting</A></P> Fri, 13 Nov 2020 15:24:35 GMT https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244941#M1985549 former_member667629 2020-11-13T15:24:35Z https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244942#M1985550 <P>Hello Roy,</P><P>this recommendation _might_ be based on the new "secure by default" installation option SAP offer when you install new systems. You might also check RZ11 entry for parameter </P><PRE><CODE>login/password_hash_algorithm</CODE></PRE><P>For instance, in an S/4 2020 system you will find the following new line (and a reference to SAP note "2140269 - ABAP password hash: supporting salt sizes up to 256 bits"):</P><PRE><CODE>Recommended Value = encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256<BR /></CODE></PRE> Fri, 08 Jan 2021 12:48:36 GMT https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244942#M1985550 Private_Member_5020 2021-01-08T12:48:36Z https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244943#M1985551 <P>The work factor for the password hashing algorithm comes down to performance versus security. Since we are talking about passwords, the user has to wait till the hashing has finished before the password is accepted. I guess the number of iterations chosen as default shall make sure that most people don’t notice a delay during an authentication. The default value must also consider a variety of different kind of available performance on the application server. <BR /></P><P>In the end it’s a configurable value. You are free to adjust it to the available performance on your server in dependence of the max concurrent authentication operations on a max peak business day.</P><BR /> Mon, 24 Jan 2022 19:55:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244943#M1985551 JoeGoerlich 2022-01-24T19:55:18Z https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244944#M1985552 <P>Also interesting is this new kernel-feature that was just released:</P><P><A href="https://launchpad.support.sap.com/#/notes/3143705">3143705 - Silent migration of iterated random-salted password hashes when configuration is hardened</A></P> Mon, 21 Feb 2022 07:41:31 GMT https://community.sap.com/t5/application-development-and-automation-discussions/password-hash-algorithm/m-p/12244944#M1985552 huberda 2022-02-21T07:41:31Z