SAP Knowledge Base Article - Preview

3627131 - Performance of Argon2 Encoder in Commerce Cloud

Symptom

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental." 

Several password hashing algorithms are now deprecated and deactivated by default to improve system security. The rehashing on login mechanism is introduced as a configurable option. Argon2 algorithm is replacing bcrypt as the default security function.

For security reasons, we're changing the handling of new passwords by deprecating the following algorithms:
  • MD5
  • salted MD5
  • PBKDF2
  • PBKDF2 with HMAC-SHA1 salted
  • plain text
  • SHA-1
  • SHA-256
  • SHA-512

The setting is introduced in the advanced.properties file with the legacy.password.encoding.enabled property set to false. Any attempt to use unsafe password encoders throws an exception in the log.

If your existing setups depend on legacy password hashing, you can change the property value and switch the legacy password encoding back on. In this case, exceptions are not thrown. To follow the best security practices, be sure to re-enable the original hashing behavior only after careful consideration.

To ensure the most optimal security for sensitive password data, the new default algorithm is now Argon2.

You must remember that Argon2, while more secure than legacy hashing algorithms, is computationally expensive. When implementing it, it's important to carefully balance security and performance, especially for systems with high authentication volumes. The algorithm uses “work factors”, which are configurable parameters that determine computational intensity of the hashing process. Higher work factors enhance security by making hash breaking more difficult but increase authentication time.

We recommend conducting performance testing before deployment to ensure your system can handle the increased computational load. You can always adjust work factor settings to match your specific security requirements and hardware capabilities.

For detailed guidance on optimal configuration, refer to the Password Storage - Using Work Factors provided as part of the Open Worldwide Application Security Project in the OWASP Cheat Sheet Series.

Please note that from 2211.28 This feature remains activated by default for security reasons.

In 2025 Q3 the Old insecure strategies are removed from code. No possibility to switch back to the legacy mode.


Read more...

Environment

  • SAP Commerce Cloud 2211.28 and all above versions

Product

SAP Commerce Cloud 2211 ; SAP Commerce all versions

Keywords

Argon2, Encoder, Password, Password encoder , KBA , CEC-SCC-PLA-PL , Platform , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.