cancel
Showing results for 
Search instead for 
Did you mean: 

Ridiculous Service Market Place Password Restrictions

Former Member
0 Kudos
123

If you ask my opinion SAP have gone silly with their service market place password restrictions for "S" numbers.

The following lists the "MUST" Criteria and my comments as to why this is just plain silly

  • Be 8 characters long
  • ===>>> Must be 8 Characters long, not only does that limit password entropy which is where real security comes from it is like hanging out a big flag to crackers, hey, you don't have to worry about brute force for any other length than 8 chars, and guess what password is 8 chars, oh Password !!!! Is your Char field only 8 char's long? what happens if I try to put more than 8 in it??
  • Include at least one letter (a-z, A-Z) and one number (0-9). Note: the password is not case-sensitive 
  • ===>>> What??? The password is NOT Case-sensitive???????
  • Include at least one special character from the following set: ! \ " @ $ % & / ( { [ ] } ) + - * = ? ' ~ # _ . , ; : < > 
  • ====>>>  Limiting my ASCII set, so now not only do I know what your program is looking for programmatically you have limited my password strength possibilities
  • Not contain any blanks 
  • ===>>> Why NOT? another something crackers can eliminate from their brute force attacks, and not only that you have given hints that your software cannot handle spaces, that might produce interesting results..... Given we assume SAP runs SAP can we then assume that all Netweaver stack's hold this kind of susceptibility?? not saying it does, but maybe it does given you have to legislate against it
  • Not start with ? or ! 
  • =====>>>> Why NOT? afraid of SQL injection maybe? just given crackers more clues as to your password strength rules and a possible knowledge that you are not handling attacks very well??? are you taking a POST with a ? in it that does interesting stuff? just raising the question ....
  • Not begin with 3 identical characters 
  • ====> Great, 8 chars and cannot have 3 identical chars at the start, more I can eliminate from a brute force dictionary
  • Be different from the last 5 passwords 
  • ===>>> Someone please explain how Passwork is more secure than Passworj than Passworh than Passworg than Passworf than Password Please do so !!!!!



    Call me a cynical old admin but really, I have never seen such a long ridiculous rule set for passwords that adds absolutely no value to your password policy, in fact it significantly detracts from it!!!

Accepted Solutions (0)

Answers (3)

Answers (3)

Jelena_Perfiljeva
Active Contributor
0 Kudos

Had a good chuckle on this one. I realy hate using special characters in the passwords, not sure why there is a belief they add an extra layer of protection. And the requirement to be different from the last 5 passwords actually does lead exactly to the passwords like you've mentioned.

former_member42743
Active Contributor
0 Kudos

I'm pretty sure the password is not limited to just 8 characters only.  In fact I know it isn't because mine is longer than 8. But I won't tell you how much longer! 

Brute force cracking also assumes you can make unlimited attempts.  I'm sure SAP boots you out after three tries and makes sure you have to start over again after a random timeout period. 

And I'm pretty sure that after a certain number of failed attempts within a given time frame, it will lock the account.

Most of the other requirements are pretty standard as Jurgen as pointed out. 

Besides, I don't think SAP considers the S accounts to require a super high security requirement.  While I know some OSS notes can be pretty cryptic, they aren't exactly guarding state secrets.

I'm don't really see the issue.  If you're an IT admin, this should really be old hat for you. 

But if you ask SAP, maybe they'll set up your account to follow some of the military standards and give you a randomly generated, 18 character, system assigned password every 14 days that you have to memorize. 

FF

Former Member
0 Kudos

Trust me, it must be exactly 8, I've had to do several as of late

Assuming no-one get's direct access to the DB on the BF attack

former_member183750
Active Contributor
0 Kudos

Interesting because my pwd, like Fire Fighter's is more than 8. I'll even let you know that it's more that 8 and less than 15. Perhaps it matters if an S user ID is used or I user ID or email ID, etc., etc... Makes you wonder if someone from SCN / Jive could comment(?).

- Ludek

Senior Support Engineer AGS Product Support, Global Support Center Canada

Former Member
0 Kudos

Yeah, mine used to be greater than 8 too, but I had to change it a few months back and that is when I discovered these rules. - note that the rules without my comments are written verbatim under the change password option in the SMP

JL23
Active Contributor
0 Kudos

you have not seen such a list before?

I know such from my work, from my bank, my insurance company and many more areas where I need passwords for.

  • Include at least one special character from the following set: ! \ " @ $ % & / ( { [ ] } ) + - * = ? ' ~ # _ . , ; : < >

this does actually not limit you, it forces the majority of users to use such characters instead of keeping their relatives names just like they are.

Any of those rules makes your password stronger.

However I am glad that SAP and all companies (except my own) do not force us to change the password every month, as this just ends up in writing it down.

Former Member
0 Kudos

We use rules similar in all secure areas but not like these. Not sure if you read it fully but the following things specified under the password change option verbatim I have put above that is specifically concerning and done no-where else where you look for a secure password:

1. the password is not case-sensitive

2. Not contain any blanks 
3. Be 8 characters long and only 8 characters long

JL23
Active Contributor
0 Kudos

Agreed, does not look wise, but I am certain I have seen this somewhere else too, but don't want to be a whistle-blower