Report to know how many user fill new password pol...

pascal_bouvy · ‎03-18-2013

Hello,

We are runing SAP Netweaver 7.01, and we wanted to change our Password policy (increase password Complexcity for exemple).

Is there a report that will give us how many users password do not fill up our new password policy.

I don't want to know the password of users but only how many user, and if it's possible the name of the user that do not fill the new password policy.

Regards.

Pascal.

martin_voros · ‎03-18-2013

Hi,

you can't see from hash value if a password satisfies new criteria or not. The best thing what you can do is to check date of last password change (USR02-BCDA1). So any user with date after your change complies with new policy.

Cheers

Former Member · ‎03-18-2013

For some reason I thought it was a JAVA stack question, but now it is not clear.

It also depends on which code version you are using. New code versions use different fields when downward compatibility is not a requirement.

Cheers,

Julius

pascal_bouvy · ‎03-21-2013

Hello,

Ok, but SAP has a parameter:

This text comes from sap_help:

login/password_compliance_to_current_policy. If this parameter equal 1 then the system checks during password logon wheter the current password complies with the current password rules and forces a password change if it is not the case.

So, does someone kwnow which fonction is use so we can write our own code to check on each user if the password policy is ok ?

Regards.

Pascal.

martin_voros · ‎03-21-2013

Hi,

fortunately SAP does not store password in plaintext. The passwords are hashed. Hence it's impossible to get password or check if password satisfies current policy. The way how that parameter works is that the check is performed at logon. At that time a system has password in plaintext. The system hashes the password and compare it value in DB. It does not store plaintext password anywhere. So you can't write a report that checks all users in DB.

Cheers

Former Member · ‎03-21-2013

I will have to disagree here. Quoting SAP note 1458262:

"ABAP systems support password-based authentication. The password validation is

performed by comparing password hash values, thus the server only stores

password hash values (and the information on how the password hash was

calculated, the so-called "code version" information) in the user master record."

It should be possible to write a program to check the code version for all stored password hashes.

https://service.sap.com/sap/support/notes/1458262

martin_voros · ‎03-21-2013

No. The code version is just an ID for algorithm that is used for calculating hash. For example code version D uses MD5 and E uses SHA1. This does not tell you anything about compliance to password policy. For example let say a password policy mandates to have at least one special character and one digit in password. How does knowing hashing algorithm helps you to answer question: does this password contain at least one special character and one digit. From definition of cryptographic hash function you can't answer this question. It would mean that hashing algorithm is broken and you have another problem.

There is a FM PASSWORD_FORMAL_CHECK that checks if password in plain text complies with password policy. But you must have password in plain text. Fortunately, it's not stored in plain text anywhere.

Cheers

Former Member · ‎03-21-2013

You are correct, I missunderstood the requirement.

Report to know how many user fill new password policy