SAP Cybersecurity: How Secure Are Your Passwords?

Posted by Prof. Dr. Nick Gehrke on Oct 12, 2017 4:45:00 PM

Cybersecurity is a topic that pretty much everyone is talking about at the moment. The discussion is often aimed at the infrastructure level, i.e. the security of networks and operating systems. However, the application level should not be forgotten either! One of the most important business application systems is often the company’s ERP system, which in very many cases turns out to be SAP. This blog post introduces you to the topic of SAP password security and provides practical tips on how to secure your SAP system.

 

SAP Password Security

How do SAP passwords work?

To gain access to an SAP system, each user must enter his or her password. In this respect, SAP is no different to any other application. The SAP system compares the password entered by the user with the user password stored in the SAP system. However, it is not the actual password of the user that is stored in the SAP system, but only what is referred to as a "password hash". This means that the password cannot be found in plain text in the SAP System. The password hash is a string that is calculated using a hash function, which transforms the plain password into a password hash. When a user enters a password, SAP calculates the password hash of this entry and compares the hash that has just been calculated with the password hash stored for the user in the SAP system. If the hashes match, the user can log in successfully. The password in plain text is therefore not used for the purposes of verification.

A password hash has the property that you can calculate the password hash from the plain password very quickly using the hash function. The trick behind using hash functions is that it's hard to deduce the plain password starting from the password hash. This makes the process fundamentally safe. Experts also refer to such hash functions as one-way functions: they only work in "one direction".

Known cryptographic hash functions for calculating password hashes are MD5, SHA1 or SHA2.

SAP ERP uses the SHA1 algorithm, which means that password hashes in SAP have a length of 160 bits. SHA1 is no longer considered safe however and it has already been shown that (under laboratory conditions) it is possible to successfully attack SHA1 hashes.

 

Where can the passwords in SAP be found?

All the data in SAP is stored in a relational database that runs behind the SAP system in many different tables. The SAP user passwords are no exception to this rule, and they are stored in one of the numerous database tables. The password hashes are located in the USR02 table in the BCODE, PASSCODE and PWDSALTEDHASH data fields. Other tables like USH02 contain the password history.

SAP Password Hashes are therefore accessible to all SAP users who have the access rights to view SAP database tables. Database tables can be viewed using the SAP transaction SE16 or similar transactions. If you have access to SE16, you can call up the table USR02, and then view and download the password hashes in the PASSCODE field for each user.

 

How to crack an SAP password?

You can, of course, only crack SAP Password Hashes if you have obtained the SAP Password Hashes from the table USR02. Since the hash function used in SAP to calculate password hashes is a one-way function, there is no algorithm and no calculation rule for making any inferences from the password hash to the original password in plain text. In practice, there is no alternative but to try out (very many) different passwords. This involves, for example, taking a list of candidate passwords, calculating the password hash with the SHA1 algorithm and then comparing the calculated password hash with the password hash in the PASSCODE data field in the table USR02. This means that in order to crack passwords many different possibilities have to be tried out in a computationally intensive manner. This method is called a "brute-force attack" and basically amounts to trying out a large number of possibilities by "brute-force trial and error". Such a process of "brute-force trial and error" is of course not carried out by hand. Computer programs that can carry out such tests using all the available computing power at their disposal can be used to do this. There are several such tools on the market, like John the Ripper or Hashcat, that can be used to crack SAP password hashes.

 

How can you ensure that your SAP users are using secure passwords?

If as an IT auditor, IT security representative or SAP administrator, you want to try your hand as a password hacker, you should consider things very carefully before you go any further. If there is any doubt, such "hacker actions" will usually be regarded as rather problematic in a corporate context, since a "special mandate" is definitely required if you want to go about testing the security of your system in this way. However, no-one in your company will have anything against you designing your SAP system in such a way that users have no choice but to choose secure passwords. In case you had any doubt, it is actually your duty to do this. The question is, therefore, how to set up an SAP system in a sensible way with regard to password security.

Password security is configured in SAP using system-wide parameters. You can view these password parameters in the Audit Information System in SAP via the path: AIS - System audit - System Configuration - Parameters - System parameters with documentation.

I've put together a list of 10 important password parameters below:

No

Parameter

Recommendation

1

login/min_password_lng

6 (minimum password length)

2

login/min_password_letters

1 (Password must contain at least one letter)

3

login/min_password_digits

1 (Password must contain at least one number)

4

login/min_password_specials

1 (Password must contain at least one special character)

5

login/min_password_diff

3 (at least half the minimum password length)

6

login/password_history_size

15 passwords (for a change that is forced every 90 days)

7

login/password_max_idle_initial

Validity period for an initial password does not exceed 3 working days

8

login/password_expiration_time

Forced change of password after a maximum of 90 days

9

login/password_max_idle_productive

Set the validity period of an unused password to be longer than the duration of the forced password change.

10

login/password_change_waittime

1 (User must wait one day to change his password)

 

The recommendations are taken from the SAP user group and are generally accepted. Further settings for system parameters regarding SAP passwords can be found on page 16 here (in German).

 

What else should I pay attention to when it comes to SAP passwords?

In addition to the system parameters for SAP password security, there are a number of other important points to note:

  1. Set up forbidden passwords for your SAP system. Trivial passwords should be excluded, such as your own company name or frequently-used everyday words. Forbidden passwords can be stored in the table USR40 so that SAP can reject the use of such passwords.
  2. When a user is created, an initial password is often assigned by the administrator, which must be changed upon the first login. Make sure that the initial password is not always the same, and that there is no risk that an unauthorized person might "hijack" an SAP user account due to widespread knowledge of the initial password.
  3. Even the most secure password is of no use if SAP users leave their workstations unattended when they are logged in and forget to lock their session. Then anyone can simply sit down at the computer and use SAP. For this reason, set SAP so that an automatic logout occurs after a certain period of inactivity (system parameter rdisp/ gui_auto_logout).

 

Do you have any further questions about SAP security?

Post a comment on this blog below.

Or download one of our informative ePapers:

 all ePapers

 

Topics: SAP Audit, Cyber, Cybercrime, Password, Security

Blog Commentary