Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password-hash calculation

Former Member

‎08-26-2014 2:55 PM

0 Kudos

hi!


passwords of our internet users are stored in BAPIUSW01-PASSWORD as a password hash. The hash is calculated by the system-call XXPASSNET.


After we changed the password ruleset (kernel parameters login/min_password_digits and so on), hashes generated previously are no valid passwords anymore. The call returns an empty hexpass. In other words: no user can login anymore.


Is there a way to calculate a hash from a given string (=password) in the same way as XXPASSNET does? I already tried FM MD5_CALCULATE_HASH_FOR_CHAR or CALCULATE_HASH_FOR_CHAR, but they do not return the same result. Looks like XXNETPASS does not use MD5 or SHA1 but something else?


We authenticate using BAPI_PAR_EMPLOYEE_CHECKPASSWOR, which calls FM  WWW_USER_AUTHORITY - inside, there is XXNETPASS called.


Thanks for all information


Roland

7 REPLIES 7

Former Member

‎08-26-2014 4:07 PM

0 Kudos

It's probably the value of login/password_downwards_compatibility that has caused the problem. Pinging the space so that others can pitch in. Meanwhile you may want to read .

SuhaSaha
Advisor
Advisor
In response to Former Member

‎08-26-2014 4:36 PM

0 Kudos

If wants we can move the thread to the Security section.

Former Member
In response to Former Member

‎08-27-2014 8:31 AM

0 Kudos

hi,

login/password_downwards_compatibility is set on (which is the default value) in our systems. As far as I understand, this parameter allows other (older) hashes to be used and does not affect password rules such as at least one upper-case char, one special char etc.

Thanks for the link to the blog, very interesting. XXPASSNET uses codeversion A when called from the above mentioned BAPI.

Roland

PS: if the security section is the right choice for this topic, please move.

Former Member
In response to Former Member

‎08-27-2014 6:59 PM

0 Kudos

Last I heard, the SU05 internet users were deprecated and no longer supported.

Take a look at FM susr_internet_user_migration, which converts them to SU01 users and issues them a proper code versioned password hash which is compatible and not reversable.

Cheers,

Julius

Former Member
In response to Former Member

‎09-11-2014 9:22 AM

0 Kudos

Thanks Julius. More-or-less I got the same reply from SAP support - it is simply not supported anymore. I cannot convert to SU01 users, so we are going to replace the password creation bapi by an own development and have all users to create new passwords.

Former Member
In response to Former Member

‎09-11-2014 9:42 AM

0 Kudos

I added the password-creation class in the SCN wiki. ABAP class to create random chars or passwords - Code Gallery - SCN Wiki

martin_voros
Active Contributor
In response to Former Member

‎09-11-2014 10:51 AM

0 Kudos

Hi,

I would suggest to use standard FM RSEC_GENERATE_PASSWORD that is used by SU01 when you ask system for an initial random password. The generated password will comply with system password policy.

Cheers