on 02-20-2015 11:07 AM
Hi folks,
>> Opening SCN, SSO seems not to work, clicking on "Log On"
>> "SAP Identity Cloud says your Password is not secure enough, please change it now"
>> Guidelines: Your new password must be exactly 8 characters long....
>> 8 characters
>> 8
>> not secure enough, must be exactly 8 characters
So, hands up, kids, who wants to be brute-forced first? I assume I'll need a little less than three weeks for any of you (including myself)...
Cheers, Lukas
Hi Lukas,
the ancient password requirements come from the fact, that this is an s-user and the user is managed by the Service Marketplace. Because this is still a fairly old R/3 based system, these password requirements still exist there.
For one, there is a protection against brute force attacks, where some amount of failed login requests will block the ability to login for a day or so (don't have specific info on this).
Second, there is an upgrade of SMP in the work, which will hopefully bring the password requirements to the latest standards.
Best,
Oliver
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ah, so that's why the enforcement of exactly 8 characters (the most supported by old R/3 systems), and the lack of case-sensitivity in the midst of requiring letters, numbers, and special characters. I always thought that exact requirement of 8 characters was odd, but now it's making sense. The last time I changed my SCN/SMP password I kept providing something more than 8 characters and couldn't figure out why it wasn't working.
Sums up perfectly, everything that is wrong with using stringent password requirements.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I like the ability to use a pass phrase instead of a pass word.
Rapidly increases the entropy of the pass-code as long as it does not decrease the collision rate with the one-way-hash, in the case that it is extracted and salts are not used to make it useless information.
But regardless of the strength of the password, I still shudder most at the "password reset services" which return the same initial password or return the clear text password to you for the "ah ha" moment (so that you are not confronted by it when changing the password because it was the previous one as well - the one you could not remember...). This means that the password storage is reversible or sufficient information is transferred in application programs for an admin to be able to snatch the clear text password of all users. That should simply not be possible and not supported as application users do not have any contracts and NDA agreements with system admins and service providers and their admins.
In this latter case it really does not matter much what your password is.
Cheers,
Julius
Yeah, those password settings are rather strange. I remember cursing it, when I tried to change my password some months back and had to keep making it simpler. That was fun...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
At least this shameful password system is genuinely and openly published, i.e. I'm openly told it's insecure and easily crackable. Much unlike amazon 10 years or so ago, when you could input passwords up to 30 characters but only the first 5 where actually considered, checked and written to the system.
Still, meh.
Actually it was by default like that in SAP as well until a while ago and changed only for new installations. Password compatibility with legacy system truncated the password at the 8th character and converted alphabetical characters to upper case.
Perhaps a 4.6C system is still in the SCN infrastructure as middleware and hence the backward compatibility is needed?
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.