The subject is old, as old as a worn jacket after 200 meetings on security. Known topic, known as the most popular password on the web (123456 (?)). A topic as stretched as ... a thin layer of butter on a large slice of bread ... But it returns like a boomerang, not because it is popular and liked, but because it is important and critical to safety.
Imagine a scenario where the SAP kernel settings regarding password parameters are set by default.
User enters his new password: a.
The message is as follows: 'The password is not long enough (minimum length: 6 characters).'
The user enters the next password: aaaaaa.
Another message sounds: 'The first three characters of a password must be different from each other’
The uses writes: ababab.
Finally!
Both the user is satisfied, because the system has stopped making his life difficult, and the system is "satisfied".
Now comes the question (and if it doesn't, it should):
Is such protection sufficient for us, as system administrators?
What can I say? The longer the password, the better. Nevertheless, this rule is deliberately broken or simply ignored because the user downplays the use of long passwords. It is supposed to be short, fast and to work.
What to do to "motivate" the user to use longer passwords, but, on the other hand, not to "torment" him with the monotony of typing 40 characters?
Change the default value of the parameter ‘login/min_password_lng’.
What to choose? At least 12 characters.
This parameter allows the range from 3 to 40 characters. In extreme cases, from 0 to 8 characters combined with another parameter.
However, remember, the longer the password, the more secure.
Since it appeared later in the text, we have no doubt that a long password is not everything.
The user enters a new password, where this time he has to "type" at least 12 characters: abababababab.
Looking at the new password, we find that fortunately our user is a fictional character and any resemblance to real users is coincidental.
What, as administrators, can we do about it?
We have the following three parameters:
login/min_password_digits
login/min_password_letters
login/min_password_specials
The first parameter defines the minimum number of digits (digits from 0 to 9) that the user must use when entering a new password. There can be even 40 of them, but in combination with the other two parameters, the maximum is 36 digits.
The second parameter forces you to enter a minimum number of letters, again up to 40 characters (A to Z; a to z). Special characters remain. After all, what a strong password is this without a semicolon or parenthesis;) But to the point, we have a lot to show off using the available special characters, which will not be letters and numbers:
!"@ $%&/()=?'`*+~#-_.,;:{[]}\<>|
We have a solid set of signs ready to help keep your system secure. The password: il1k3indianaj0nes;) is allready really something more difficult to break.
What if you add to the oven and improve the quality of the slogans? is it possible? Yes indeed!
Additions in the form of two parameters come to the rescue, the names of which at a glance indicate what the variety is:
login/min_password_lowercase
login/min_password_uppercase
The first parameter is responsible for the minimum number of lowercase letters in a password.
The latter for the minimum number of uppercase letters in the password.
Now this is magic! A satisfied user enters the password according to the new rules: A9#CgeGG8ea].
The administrators are very happy. Just… how to remember it…?
Yes. It is worth considering additional safety-enhancing parameters that support those listed above.
Certainly, the administrators would like the changes to take effect, if not immediately, then only a little later.
Parameter ‘login/password_compliance_to_current_policy’ it is important in the context of the above, because it forces the password to be changed in relation to the new policy immediately after logging in.
Setting the parameter to 1 means that the user's password will be checked against the current password security policy. If at least one of the parameters is not met, the password change will be forced.
To make passwords easy to remember, many users use their own templates. When it comes time to change the password then they replace one or two characters. This means that the core, or a large "piece" of password, remains unchanged.
To make such actions difficult and to maintain the high complexity of passwords, we can use the parameter ‘login/min_password_diff’. The parameter value (from 1 to 40) means how many characters in the new password in relation to the old password must be changed.
A related consideration to the above is that the user should not use the same passwords too often. This function is guaranteed by the parameter ‘login/password_history_size’. It stores from the last 1 to 100 passwords used by the user. If we set this parameter to 5, it means that five cycles must pass for the user to use password # 1 again.
Implement. Do not leave the door open to anyone wishing to enter the system. Remember that before implementing the solution, tests should be carried out, especially when our system connects to systems with lower versions.
Who would like to end up with a locked production system? Hand up.
Finally the most important thing: Users are not allowed to write passwords on cards and stick them to monitors, carry them in a computer bag or leave them on a desk. After all, it's like scratching / scratching / lubricating the PIN for a payment card on the ATM we use. Such user should be reprimanded.
Author: Bartosz /Sast Team Poand/
GOOD TO READ ABOUT SAP SECURITY:
