SAP Netweaver has its passwords hashed and also salted. But I read that a tool such as John the Ripper can bruteforce them.
So how does security varies when passwords are hashed, in particular in the sap system?
what if I have a password such is this... a12345 ?
Is it easy to bruteforce it, even though it is , lets say, salted?
A salt can make brute forcing much longer. Assuming the attacker only has hashes, he will have to find out the hash algorithm and the salt. You can sometimes tell the hash algo used by looking at the hash or at least narrow it down. Next is finding the salt. Usually a hacker probably has many hashes. You can assume a user has the password called "password" or the hacker made their own account so they know the password, and start appending a salt until you get a match. It's best to have unique salt per password to make this process more cumbersome, although they may focus all resources on an admin's hash.
Salt does not protect against brute force attacks because the salt is usually stored adjacent to the hash in clear text so it doesn't add additional (unknown) entropy. Salt is a mitigation against rainbow table attacks.
Protection against brute force is provided by the hashing algorithm itself. The hash algorithm should be slow so that a brute force attack will take an infeasible amount of time.
In addition, cryptgraphic "pepper" added to the cleartext + salt can make the brute force attack more difficult because it renders a dictionary attack impossible. On the other hand, if the hacker has access to the DB table with the hashes and the salts, he may also have access to the pepper.
If the SAP system uses pepper, the length of the password doesn't matter, because the pepper will be longer than the password anyway. If it doesn't, then shorter passwords are indeed more vulnerable as the brute force attack will check for shorter passwords first.
