Solved: Possibility to allow only digit based passwords in...

Former Member · ‎10-01-2014

Hi,

Is it possible to setup up the password rules for NetWeaver ABAP, so that it's only possible to have password with digits?

Based on the password rules here https://help.sap.com/saphelp_nw70ehp1/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/content.htm it ought to be possible.

For a six-digit password I would try:

login/min_password_lng = 6

login/min_password_digits=6

login/min_password_letters=0

login/min_password_specials=0

login/min_password_lowercase=0

login/min_password_uppercase=0

Any one tried this before?

Regards

Dagfin

Former Member · ‎10-01-2014

You can't do it just by setting minima. Your rules above allow me to have "123456abc" as a password. You need to be able to set maxima also, and there are no such parameters. As far as I know there are no user exits that happen at the right time either. I don't think there's a way to do what you want.

Steve.

Former Member · ‎10-01-2014

You can't do it just by setting minima. Your rules above allow me to have "123456abc" as a password. You need to be able to set maxima also, and there are no such parameters. As far as I know there are no user exits that happen at the right time either. I don't think there's a way to do what you want.

Steve.

martin_voros · ‎10-01-2014

Hi,

why do you want to restrict only to numbers? Is it for mobile apps? You can allow passwords only with digits but why would you disable other characters?

Cheers

Former Member · ‎10-08-2014

Hi,

Yes it's related to mobile apps.

We're investigating using a two-factor authentication approach and since one of them is quite strong, we want to use a pin code based approach for the other factor. For the pin code based approach to be efficient, we need to display a keypad as part of the app (and therefore not allow any other characters).

Regards

Dagfinn

Former Member · ‎10-08-2014

The only thing I can think of it to create a security policy for mobile users in tcode SECPOL and there define that login/password_downwards_compatibility=5 (only old hashes and maximum 8 characters in upper-case) and at the same time set login/min_password_digits=8 (which is then at the same time the maximum as well).

If the user has this policy and logs on via SAPGUi or other UIs, they can change the password but it cannot be a password which cannot entered as digits on the mobile app.

A bit ugly, but should work.

Note: SECPOL exists as of 7.31. Otherwise you will have to use RZ11 for all users in all clients.

Cheers,

Julius

martin_voros · ‎10-08-2014

Hi,

if you can guarantee that users won't be able to access system other way than via mobile app then you can create a custom app that will allow users to set password with digits only.

Another approach that I have seen is that a mobile app allows to set pin code. A user logs on for the first time with username/password and then she is prompted to choose a pin. The chosen pin is used to encrypt original password. Whenever pin code is entered the mobile app decrypts password stored in local storage, makes a HTTP call with HTTP authentication to get a session cookie and then all following calls use the session cookie. The app can wipe out encrypted password after x failed attempts to enter pin code. In that case the user must enter password again. The only disadvantage of this approach is that password is stored in local storage. It's encrypted but with a simple key so enumeration of all keys is possible. An attacker with access to phone will be able to get it. So it depends on your risk profile if this is an issue or not.

Cheers

Possibility to allow only digit based passwords in NetWeaver ABAP