Login passwords used by Adaptive Server to authenticate client connections are stored securely on disk as SHA-256 hash digest. The SHA-256 algorithm is a one-way encryption algorithm. The digest it produces can not be decrypted, making its storage on disk secure. To authenticate the user connection, the SHA-256 algorithm is applied to the password sent by the client and the result compared with the value stored on disk.
To prevent dictionary-based attacks on login passwords stored on disk, a salt is mixed with the password before the SHA-256 algorithm is applied. The salt is stored alongwith the SHA-256 hash and used during login authentication.
To ease the transition to the new on-disk encryption algorithm when migrating from pre-15.0.2 releases, Adaptive Server includes the password policy allow password downgrade. Upon upgrade from pre-15.0.2 releases, the policy has value “1” to indicate that passwords are stored in both the Sybase proprietary algorithm used in earlier releases and the new SHA-256 algorithm used in Adaptive Server 15.0.2.
As long as passwords are stored in both old and new forms, Adaptive Server can be downgraded to Adaptive Server 15.0 or 15.0.1 without resetting user passwords. When the policy allow password downgrade is set to 0, passwords will only be stored in new SHA-256 form, which is incompatible with older releases. When downgrading to previous releases, only passwords stored in SHA-256 are reset to random passwords and stored in the old form compatible with older releases. For more information, see “Backward compatibility”.
Due to the superior password security of the SHA-256 algorithm, Sybase recommends only using SHA-256 as soon the administrator is certain that downgrade to an earlier release will not be done. But consider the trade-offs when making this decision; should there be a need to downgrade to a pre-15.0.2 release, it requires administrator intervention to unlock user login passwords.
