Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Password hash algorithm

former_member667629
Explorer

‎2020 Nov 13 3:24 PM

0 Likes
4,950

Hello frank.buchholz

I was wondering, when reading the updated SAP security baseline template (btw good to see that it is updated regularly), SAP advises to use the SHA-512 salt with 15.000 iterations (encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256).

How did you determined that this number has to be 15000?

OWASP says: 'at least 10000, but values to 100000 and up may be appropriate', where I advise my clients to use 200000 and up).

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting

3 REPLIES 3
Read only

Private_Member_5020
Explorer

‎2021 Jan 08 12:48 PM

0 Likes
3,515

Hello Roy,

this recommendation _might_ be based on the new "secure by default" installation option SAP offer when you install new systems. You might also check RZ11 entry for parameter 

login/password_hash_algorithm

For instance, in an S/4 2020 system you will find the following new line (and a reference to SAP note "2140269 - ABAP password hash: supporting salt sizes up to 256 bits"):

Recommended Value = encoding=RFC2307, algorithm=iSSHA-512, iterations=15000, saltsize=256
Read only

JoeGoerlich
Active Contributor

‎2022 Jan 24 7:55 PM

0 Likes
3,515

The work factor for the password hashing algorithm comes down to performance versus security. Since we are talking about passwords, the user has to wait till the hashing has finished before the password is accepted. I guess the number of iterations chosen as default shall make sure that most people don’t notice a delay during an authentication. The default value must also consider a variety of different kind of available performance on the application server.

In the end it’s a configurable value. You are free to adjust it to the available performance on your server in dependence of the max concurrent authentication operations on a max peak business day.


Read only

huberda
Explorer

‎2022 Feb 21 7:41 AM

3,515

Also interesting is this new kernel-feature that was just released:

3143705 - Silent migration of iterated random-salted password hashes when configuration is hardened