How to Increase Encryption Strength for Passwords at Rest

For passwords in configuration files, use the SAS Deployment Manager's password update utility and supply AES-encrypted passwords.
For login passwords in the metadata, AES encryption is used by default if you have SAS/SECURE (so no configuration activity is necessary in order to maximize protection). For internal account passwords in the metadata, SHA-256 hashing is used by default (so no configuration activity is necessary in order to maximize protection).
Note: If the metadata server's omaconfig.xml file specifies STOREPASSWORDS="SAS002", passwords in metadata are stored in SASProprietary format (even if you have SAS/SECURE). The metadata server's omaconfig.xml file is located in your equivalent of SAS/Config/Lev1/SASMeta/MetadataServer/.
CAUTION:
Passwords that are stored in SAS003 format (or with SHA-256 hashing) become unusable and inaccessible if SAS/SECURE is unavailable.
If you use SAS/SECURE, it is important to keep your SAS/SECURE license current. If you choose to discontinue use of SAS/SECURE, you must revert all stored passwords to the less secure format before you uninstall the software. To revert login passwords, set STOREPASSWORDS="SAS002", restart the metadata server, and use SAS Management Console to re-enter passwords in any logins that need to include passwords. To revert internal account passwords, set HashPasswords="MD5", restart the metadata server, and update the password in every internal account.