11-06-2007 2:09 AM
Hi,
I use ECC6.0 AS ABAP.
In Note 2467,
"The first 3 characters cannot be identical".
I want to allow users to set password first 3 characters same.
Can I change this password rule ?
Regards,
Yasuo
12-03-2007 12:14 PM
It is always the Best practice to follow the Password policies, which is a vital aspect in security.
The change of practices of policies results in audit review also.
11-06-2007 6:54 AM
I'm not aware that you can change this part of the password settings. Why change it? it will only serve to create a weaker password.
11-06-2007 7:22 AM
Our client needs to set the same password as other existing non-SAP systems.
Regards,
---
Yasuo
11-07-2007 5:36 PM
Please notice that password policies might be different in different systems - even in systems of the same type / vendor ...
Therefore the attempt to synchronize passwords across multiple systems is (in general) subject of failure - see <a href="https://service.sap.com/sap/support/notes/376856">SAP Note 376856</a> providing also other reasons of failure.
If you want to achieve Single Sign-On (SSO), then please use a proper SSO mechanism. I still do not understand why so many persons make the mistake to conclude:
logon = password-based authentication -> SSO = replicated passwords
That's the wrong way. It simply will not work (reliably).
11-06-2007 7:46 AM
Hello Yasuo,
I Strongly advice against your changing that Parameter.
It will only weaken your companys Password Policy, and make your SAP System more vulnerable.
Chumy.
11-06-2007 9:14 AM
Hi Yasuo,
This rule is Predefined/hard-coded in SAP system & hence "cannot be changed".
i.e. It does not have a corresponding profile parameter defined.
But Note:
As of Release 6.10 (Web Application Server) this rule has been removed.
It will only be checked in all releases up to 4.6D.
Rgds, Chaitu
11-07-2007 5:38 PM
> As of Release 6.10 (Web Application Server) this rule
> has been removed.
> It will only be checked in all releases up to 4.6D.
Not true. You have mixed this up with the (obsolete) rule stating that "the first 3 characters of the password must not be part of the userID" (see <a href="https://service.sap.com/sap/support/notes/2467">SAP Note 2467</a>).
12-03-2007 12:14 PM
It is always the Best practice to follow the Password policies, which is a vital aspect in security.
The change of practices of policies results in audit review also.
12-03-2007 5:30 PM
I think that this is not really hitting the point.
Yasuo revealed the motivation for the intended policy modification (actually, it is most likely intended to bypass all password policy checks): he intends to synchronize passwords across different systems.
I can only repeat what I've written previously: that's the wrong approach.
If you want to achieve SSO then forget about passwords; use proper SSO mechanisms, instead.
12-05-2007 1:46 AM
Hi Yasuo,
Use Table USR40 to include illegal and easily guessed password...
Let me know if any Clarification...
Thks
Rajesh.
12-05-2007 8:40 AM
Hi Rajesh,
Yasuo is <u>not</u> interested in making the password rules more strict ...
Well, the only advise I can give him is to use proper SSO mechanisms instead of attempting to emulate SSO by password synchronization.
Cheers, Wolfgang
12-11-2007 6:52 AM
Hi all,
I noticed my customer that "The first 3 characters <b>cannot</b> be same".
In future, I will suggest my customer to implement proper SSO solution.
Thanks,
Yasuo
12-11-2007 8:20 AM
Hello Yasuo,
Thanks for following up. As the thread was old (+30 days), I had a assumed it closed.
Kind regards,
Julius