Solved: How to change the password rule "The first 3 chara...

Former Member · ‎11-06-2007

Hi,

I use ECC6.0 AS ABAP.

In Note 2467,

"The first 3 characters cannot be identical".

I want to allow users to set password first 3 characters same.

Can I change this password rule ?

Regards,

Yasuo

Former Member · ‎12-03-2007

It is always the Best practice to follow the Password policies, which is a vital aspect in security.

The change of practices of policies results in audit review also.

Former Member · ‎11-06-2007

I'm not aware that you can change this part of the password settings. Why change it? it will only serve to create a weaker password.

Former Member · ‎11-06-2007

Our client needs to set the same password as other existing non-SAP systems.

Regards,

---

Yasuo

WolfgangJanzen · ‎11-07-2007

Please notice that password policies might be different in different systems - even in systems of the same type / vendor ...

Therefore the attempt to synchronize passwords across multiple systems is (in general) subject of failure - see <a href="https://service.sap.com/sap/support/notes/376856">SAP Note 376856</a> providing also other reasons of failure.

If you want to achieve Single Sign-On (SSO), then please use a proper SSO mechanism. I still do not understand why so many persons make the mistake to conclude:

logon = password-based authentication -> SSO = replicated passwords

That's the wrong way. It simply will not work (reliably).

Former Member · ‎11-06-2007

Hello Yasuo,

I Strongly advice against your changing that Parameter.

It will only weaken your companys Password Policy, and make your SAP System more vulnerable.

Chumy.

Former Member · ‎11-06-2007

Hi Yasuo,

This rule is Predefined/hard-coded in SAP system & hence "cannot be changed".

i.e. It does not have a corresponding profile parameter defined.

But Note:

As of Release 6.10 (Web Application Server) this rule has been removed.

It will only be checked in all releases up to 4.6D.

Rgds, Chaitu

WolfgangJanzen · ‎11-07-2007

> As of Release 6.10 (Web Application Server) this rule

> has been removed.

> It will only be checked in all releases up to 4.6D.

Not true. You have mixed this up with the (obsolete) rule stating that "the first 3 characters of the password must not be part of the userID" (see <a href="https://service.sap.com/sap/support/notes/2467">SAP Note 2467</a>).

Former Member · ‎12-03-2007

It is always the Best practice to follow the Password policies, which is a vital aspect in security.

The change of practices of policies results in audit review also.

WolfgangJanzen · ‎12-03-2007

I think that this is not really hitting the point.

Yasuo revealed the motivation for the intended policy modification (actually, it is most likely intended to bypass all password policy checks): he intends to synchronize passwords across different systems.

I can only repeat what I've written previously: that's the wrong approach.

If you want to achieve SSO then forget about passwords; use proper SSO mechanisms, instead.

Former Member · ‎12-05-2007

Hi Yasuo,

Use Table USR40 to include illegal and easily guessed password...

Let me know if any Clarification...

Thks

Rajesh.

WolfgangJanzen · ‎12-05-2007

Hi Rajesh,

Yasuo is <u>not</u> interested in making the password rules more strict ...

Well, the only advise I can give him is to use proper SSO mechanisms instead of attempting to emulate SSO by password synchronization.

Cheers, Wolfgang

Former Member · ‎12-11-2007

Hi all,

I noticed my customer that "The first 3 characters <b>cannot</b> be same".

In future, I will suggest my customer to implement proper SSO solution.

Thanks,

Yasuo

Former Member · ‎12-11-2007

Hello Yasuo,

Thanks for following up. As the thread was old (+30 days), I had a assumed it closed.

Kind regards,

Julius

How to change the password rule "The first 3 characters cannot be same"