cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recover Sap portal user password

former_member568132
Explorer

on ‎10-22-2021 10:41 AM

0 Kudos

Hi,

I would like to recover the password of a Sap portal user (ume). I have seen that the IUserAccount library has the getHashedPassword() method that returns the encoded password. Is there a way to get the password without encryption? or is there a way to decode the result returned by getHashedPassword()? ,

thanks in advance,

regards.

PD: the portal version is 7.5 SP19

Show replies
Show replies
jurjen_heeck
Active Contributor
‎10-22-2021 12:59 PM
0 Kudos

I sincerely hope that this is not possible. Hashing is meant to be a one-way process. If you find a way, with or without password cracking software, please report it to SAP as a security issue.

Former Member
‎11-11-2021 11:34 AM

jheecksuperp is right. The passwords are stored hashed in table SAPSR3DB.UME_STRINGS and look like 

{SHA-256, 10000, 24}NLcByDS5XYWUAK7...iQjrMCYsh5WSL7YzWQofGlI=

One can say it is SHA-256 calculated 10.000 times and 24 is salt length. The only way to get it is via brute-force and depending on the password (and hardware) it could be impossible, but most likely it is not. For a simple 6 char pass it will take minutes. For 7 char - hours. For more complex 8 char - years.

What is possible - if the password is stored somewhere else e.g. maintained in RFC connection then it can be easily decrypted.

No need to inform SAP. They are aware of this.

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Sriram2009
Active Contributor
‎10-22-2021 3:02 PM
0 Kudos

Hi Anibal

SAP EP portal UME pointing to the backend SAP ABAP system. I don't think you can recover the password it is securely bridged

Regards

SS

Show replies
Show replies
former_member568132
Explorer
‎10-25-2021 4:42 PM
0 Kudos

Our system is NetWeaver J2EE system which we use UME to store data. And it does not connect to any backend system to store user data

Ask a Question