I am not sure what you mean. I never did an audit, so i don't know the regulations. Still the key part about security depending on PROC PWENCODED passwords is: do not think it is save and the password cannot be reverted. Prefer operating system security (like Integrated Windows Authentication, File System user access rights, ...) or prompt the user for a password. ... View more

Patrick schrieb: Jaap Karman Isn't the question if "you" can reverse the password if given to you? Good luck with AES. Update to my former post: i found a way to nicely ask the SAS software to decrypt a SAS01-SAS04 password for me. So i can decrypt any password in seconds. So even even the SAS04 method is not secure. It may use AES internally, but the key for the encryption has to be always the same to reuse the encoded password across different SAS machines and that you can promote your metadata and SAS programs. I quote from Concepts: PWENCODE Procedure :: Base SAS(R) 9.4 Procedures Guide, Third Edition: "PROC PWENCODE is intended to prevent casual, non-malicious viewing of passwords. You should not depend on PROC PWENCODE for all your data security needs; a determined and knowledgeable attacker can decode the encoded passwords." So the conclusion is: using pwencode might prevent 99% of all your users from decrypting the password as clear text. But if the last 1% of users could do any damage with the clear text password or could gain access to highly sensitive data you should never rely on PROC PWENCODE! PROC PWENCODE passwords are not save! ... View more

decrypting SAS01 is very easy as it is a simple base 64 encoding. decrypting SAS02 is not that easy, but if you know the trick it is quite easy and just takes a fraction of a second to do it. But this is not officially supported by SAS. decrypting SAS03 and SAS04: SAS needs to have an internal algorithm to do it. It is just a matter of energy you want to invest to revert it. Actually i would not rely on any of these methods to be considered secure. ... View more