07-06-2012 3:41 AM
Hi Gurus.
Recently we had a requirement wherein the FPT files needed password to open, and that password is being suggested to store in SAP database table via encryption.
I was thinking of storing it in encrypted format via the method cl_http_utility=>if_http_utility~encode_base64.
But before going ahead, I wanted to be sure - is this the correct approach of doing it? Does it compromise security in any way?
Thanks in adv.
07-06-2012 8:38 AM
The common way to store password is not to store the encrypted password itself, but only a hash of the password.
Take a look at this blog entry: http://http://scn.sap.com/community/abap/blog/2012/03/21/how-your-passwords-are-stored
07-06-2012 8:38 AM
The common way to store password is not to store the encrypted password itself, but only a hash of the password.
Take a look at this blog entry: http://http://scn.sap.com/community/abap/blog/2012/03/21/how-your-passwords-are-stored
07-06-2012 9:07 AM
Thanks Kay. I had read that blog earlier. But then if I store it as hash, how do I retrieve it later for use? I could not find any "Dehash" FM?
07-06-2012 9:22 AM
You just calculate the hash for the entered password and compare this to the stored hash.
The hash function is a one-way function, e.g. you can't go backwards and "dehash" it.
So even if you have a hash value, you can' t tell which password was used to generate this hash.
07-06-2012 9:29 AM
Thanks Kay. But our requirement is like this - we have to store some passwords given to us by users. Then when we submit a file to their FTP server, we have to use that password to deposit the file. It will be run in background.
So if I store as hash, I need to 'dehash'. That's why earlier I was thinking of storing as Encrypted format. Any ideas on this? Thanks.
07-06-2012 9:55 AM
I see...
So I think you should go with the method stated in your initial post. If you want, you can add some salt value before encoding, so that a simple base64 decoding will not reveal your passwords.
07-06-2012 10:08 AM
07-06-2012 10:11 AM
Oh, just a constant value you use to modify the password before encryption, which is removed again after decryption.