01-30-2012 5:10 PM
Experts,
I've tested with a few different colleagues who are also running ECC 5.0 and am consistently finding issues with the system password validation.
As an example, assume login/min_password_lng parameter (minimum password length) on a password is 8. User is able to enter a password with 8< characters, which is commonly known and OK from my perspective. The issue is, it appears that the system is only performing a validation on the first 8 characters, not anything exceeding that, and I don't believe there is a max_password_lng parameter available.
Am I wrong in viewing this as a significant identity management risk? (Not referring to SAP IDM the product... just identity management in principle)
Would appreciate both points of view: BASIS perspective as well asCompliance/Risk/Audit.
Rgds
01-30-2012 6:31 PM
Hello,
The password rules depend on the NW version. Please check these notes:
Note 2467 - Password rules and preventing incorrect logons
Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
I don't understand what do you want to validate....
Cheers,
Diego.
01-30-2012 6:31 PM
Hello,
The password rules depend on the NW version. Please check these notes:
Note 2467 - Password rules and preventing incorrect logons
Note 862989 - New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
I don't understand what do you want to validate....
Cheers,
Diego.
01-30-2012 7:19 PM
Diego,
Thanks for pointing me towards those notes, though they don't fully address my concerns...
Our technical landscape is as follows - SAP ECC 5.0 SR1, SAP NW 04, SPS 9
My main concern is that users are shown an error message if they enter any fewer than 8 characters. Myself (and many other advanced users of SAP) will often set passwords with 8+ characters, but my assumption was that the system performs validation checks on the full string, not just the first 8 characters.
Now it seems like the parameters that are checked (i.e. login/min_password_lowercase, login/min_password_uppercase, login/min_password_specials, ...) are only checked on the first 8 characters, so a user who thinks they are building a very strong password by adding additional special characters or numbers, etc. after the first 8 characters is actually not building a stronger password at all. Which in my mind, if a hacker knows that only first 8 characters are being checked, and given some of the pre-existing constraints used by SAP (i.e. ? or ! cannot be the first character of a password), in my opinion the system is much more vulnerable to security exploits.
Give this a try, see what happens:
Take whatever value you have in login/min_password_lng parameter, add 2 additional characters (using my example above, password length = 10), and save that as your password. Now paste just the first 8 characters of your 10-character password... Are you able to log into the system?
If not, what ECC version/NW stack of SAP are you running?
01-30-2012 7:26 PM
Hello,
I cannot enter a 10 character password in NW '04, ECC 5.0. In the sapgui screen I only have space for 8 characters in the password textfield. This is a limitation of NW'04. In a NW 7.01 I can enter longer passwords, up to 40 characters.
Cheers,
Diego.
01-30-2012 7:30 PM
Give it another try - even though the password field appears as if it is constrained to 8, I'm pretty sure you can still enter 10 if you are using ECC 5.0/NW 04.
If that works, then try again with only the first 8 of 10 characters pasted into the field. Can you still access the system, both with the 10-lng password and the 8-lng?
I'm interested to see if you get the same result.
Thanks again for your help and prompt replies.
01-30-2012 7:38 PM
Wei,
You can write a password like "test1234567890abcdefgh" but the valid password is "test1234", the other characters you write just doesn´t matter, you can write a book after the eight character if you want ;=) but nothing will happen.
Cheers,
Diego.
01-30-2012 8:44 PM