In SAS 9.2, the only
method available to hash passwords for internal SAS accounts was the
MD5 hash algorithm. In order to comply with the FIPS 140-2 standard,
SAS 9.3 supports SHA256, and it is available only when you have licensed
SAS/SECURE. Although SAS 9.3 deployments using
SAS/SECURE generate
no new password hashes with MD5, during a migration the existing password
hash is in MD5 and must remain in MD5 to be validated. For an internal
account in SAS 9.3 that contains
SAS/SECURE, the only way to stop
using the MD5 hash is to change the password to a new value. This
causes SAS 9.3 to generate and store a new SHA256 hash and to move
the existing MD5 hash to the history list.
The history list maintains
a maximum of five password hashes to prevent a person from using any
of the previous five passwords as a new password. This enforcement
is optional. The MD5 hashes will move through the history list as
a person changes passwords over time, being replaced by SHA256 hashes.
In order to remove all MD5 hashes from the history list, a user would
have to change passwords five times.
During a migration,
the SAS Deployment Wizard gives you the opportunity to change the
passwords for your SAS internal accounts. For more information, see
Unrestricted Administrator.