1.3 Store password hashes using SHA-256 only

Information

Sybase ASE 15.0.2 supports storing encrypted passwords using both SHA-256 hashes and
the ASE proprietary algorithm or as SHA-256 hashes only. This setting is toggled via the
allow password downgrade password policy option.

The default install setting for new ASE 15.0.2 installations is to store encrypted passwords
as SHA-256 hashes only. ASE servers upgraded to 15.0.2 are set to also store encrypted
passwords using the ASE proprietary algorithm.

Support for the ASE proprietary algorithm facilitates downgrades to older versions of
Sybase ASE. If the System Administrator is certain that the ASE server will not be
downgraded to an earlier version then encrypted passwords should be stored as SHA-256
hashes only.

Note that this configuration setting is not present ASE 15.0 or 15.0.1.

Rationale:

The SHA-256 algorithm is considered more secure than the ASE proprietary algorithm.

Solution

1. Connect to the database as a user with the sso_role and execute the following SQL
statement to prevent the storage of encrypted passwords with the ASE algorithm:

exec sp_passwordpolicy 'set', 'allow password downgrade', 0

See Also

https://workbench.cisecurity.org/files/1612