Decrypt passwords of SAS Software encryption {sas004} {sas003} {sas002} {sas001} and {sasenc}.

There are many myths about the safety of SAS password encryption PROC PWENCODE.
Let me put it in a few words: encrypted passwords were, are and will never be safe!

It's a totally stupid idea to store passwords in the source code and output even in logfiles!

PROC PWENCODE METHOD Data Decryption Status Decode Password Encryption Algorithm
{SAS001} is insecure successful decoded Very simple decode / base64
{SASENC} is insecure successful decoded Use a 32-bit key to decode passwords / SAS proprietary
{SAS002} is insecure successful decoded Use a 32-bit key to decode passwords / SAS proprietary
{SAS003} is insecure successful decoded Use a 256-bit key to decode passwords / AES
{SAS004} is insecure successful decoded Use a 256-bit key plus 64-bit salt to decode passwords / AES
Warning: Encrypted passwords are generally not safe! Therefore, this design pattern is basically the wrong approach.

SAS software itself must be able to decrypt the password. For security reasons, I will not publish the algorithms for decryption.
You're welcome to send your encrypted password in an email to me and I can send back your password in plain text.

It's not a good idea to store the encrypted passwords in the code or files! This command retrieves all passwords in SAS files on your server.

   find . -name '*.sas' -print0 | xargs -0 grep '{sas' > ~/grep_saspwd.txt
My proof of concept takes about 100 lines of code to decrypt any SAS password.
It does not matter whether the SAS passwords stored in plain text or encrypted in the source code or in the metadata server. My decryption will always work.
If you want to hide passwords from 99% users, then use a SAS Library MetaData! There is no other safe way to hide passwords in SAS!


As you can see in the picture, there is no real protection, because you can use the password for other services!

So the problem is in the security design itself. In my proof of concept I just simulate a regularly login service.
SAS001 and SAS002 are simple transformations that can be translated back. SAS003 use encryption with a small key without any salt.
SAS004 based on a secure encryption with a random salt value. Although this is very good, but still unsecure. Why?

The credentials are not bind to a service! Each administrator and eventually user can read this credentials.
You can use the encoded password for another service. You only have to simulate the login process from a service!
That's all. It is not necessary to crack the encryption because SAS itself decrypts the password for you.

My wish list for the future: What I do not like: This entry was posted in March 2015. I hope at a later date credentials can be securely stored.

SAS ® are trademarks or registered trademarks of SAS Institute Inc.