How to Create a Password to Keep the SAP System Secure?

Reading time: 4 min.
Tomasz Jurgielewicz

How to Create a Password to Keep the SAP System Secure?

The subject is old, as old as a worn jacket after 200 meetings on security. Known topic, known as the most popular password on the web (123456 (?)). A topic as stretched as ... a thin layer of butter on a large slice of bread ... But it returns like a boomerang, not because it is popular and liked, but because it is important and critical to safety.

How do we create passwords most often?

Imagine a scenario where the SAP kernel settings regarding password parameters are set by default.

User enters his new password: a.
The message is as follows: 'The password is not long enough (minimum length: 6 characters).'

The user enters the next password: aaaaaa.
Another message sounds: 'The first three characters of a password must be different from each other

The uses writes: ababab.

Finally!

Both the user is satisfied, because the system has stopped making his life difficult, and the system is "satisfied".
Now comes the question (and if it doesn't, it should):

Is such protection sufficient for us, as system administrators?


The length does matter

What can I say? The longer the password, the better. Nevertheless, this rule is deliberately broken or simply ignored because the user downplays the use of long passwords. It is supposed to be short, fast and to work.
What to do to "motivate" the user to use longer passwords, but, on the other hand, not to "torment" him with the monotony of typing 40 characters?
Change the default value of the parameter ‘login/min_password_lng’.
What to choose? At least 12 characters.
This parameter allows the range from 3 to 40 characters. In extreme cases, from 0 to 8 characters combined with another parameter.
However, remember, the longer the password, the more secure.

The Password Strength

Since it appeared later in the text, we have no doubt that a long password is not everything.
The user enters a new password, where this time he has to "type" at least 12 characters: abababababab.
Looking at the new password, we find that fortunately our user is a fictional character and any resemblance to real users is coincidental.

What, as administrators, can we do about it?

We have the following three parameters:

login/min_password_digits

login/min_password_letters

login/min_password_specials


The first parameter
defines the minimum number of digits (digits from 0 to 9) that the user must use when entering a new password. There can be even 40 of them, but in combination with the other two parameters, the maximum is 36 digits.

The second parameter
forces you to enter a minimum number of letters, again up to 40 characters (A to Z; a to z). Special characters remain. After all, what a strong password is this without a semicolon or parenthesis;) But to the point, we have a lot to show off using the available special characters, which will not be letters and numbers:

!"@ $%&/()=?'`*+~#-_.,;:{[]}\<>|

We have a solid set of signs ready to help keep your system secure. The password: il1k3indianaj0nes;) is allready really something more difficult to break.

The Quality of the Password

What if you add to the oven and improve the quality of the slogans? is it possible? Yes indeed!

Additions in the form of two parameters come to the rescue, the names of which at a glance indicate what the variety is:

login/min_password_lowercase

login/min_password_uppercase

The first parameter is responsible for the minimum number of lowercase letters in a password.
The latter for the minimum number of uppercase letters in the password.

Now this is magic! A satisfied user enters the password according to the new rules: A9#CgeGG8ea].

The administrators are very happy. Just… how to remember it…?

Can we do anything else?

Yes. It is worth considering additional safety-enhancing parameters that support those listed above.

Certainly, the administrators would like the changes to take effect, if not immediately, then only a little later.

Parameter ‘login/password_compliance_to_current_policy’ it is important in the context of the above, because it forces the password to be changed in relation to the new policy immediately after logging in.
Setting the parameter to 1 means that the user's password will be checked against the current password security policy. If at least one of the parameters is not met, the password change will be forced.

To make passwords easy to remember, many users use their own templates. When it comes time to change the password then they replace one or two characters. This means that the core, or a large "piece" of password, remains unchanged.

To make such actions difficult and to maintain the high complexity of passwords, we can use the parameter ‘login/min_password_diff’. The parameter value (from 1 to 40) means how many characters in the new password in relation to the old password must be changed.

A related consideration to the above is that the user should not use the same passwords too often. This function is guaranteed by the parameter ‘login/password_history_size’. It stores from the last 1 to 100 passwords used by the user. If we set this parameter to 5, it means that five cycles must pass for the user to use password # 1 again.

Recomendation

Implement. Do not leave the door open to anyone wishing to enter the system. Remember that before implementing the solution, tests should be carried out, especially when our system connects to systems with lower versions.
Who would like to end up with a locked production system? Hand up.
Finally the most important thing: Users are not allowed to write passwords on cards and stick them to monitors, carry them in a computer bag or leave them on a desk. After all, it's like scratching / scratching / lubricating the PIN for a payment card on the ATM we use. Such user should be reprimanded.

Author: Bartosz /Sast Team Poand/

GOOD TO READ ABOUT SAP SECURITY:

If you find this article valuable, please share it.
This will allow us to reach new people. Thank you in advance!

We will take care of the digital transformation of your business

Do you want to protect your business against cyber attacks? Or maybe you are planning a digital transformation or looking for IT specialists for a project? We are happy to help. We are here for you. Let's talk about professional IT services for your company.
Contact Us
Darmowy e-book

Wszystko, co musisz wiedzieć
o migracji z SAP ERP na SAP S/4HANA

Nasz zespół ekspertów przygotował dla Ciebie
e-poradnik, dzięki któremu zrobisz to łatwo, bezboleśnie i bez szkody dla bezpieczeństwa
Twojej firmy.

To praktyczna wiedza podana w przystępnym
języku - zupełnie za darmo.
Pobierz darmowego e-booka
Address Information
ul. Tęczowa 3 , 60-275 Poznań
NIP: 5213683072
REGON: 360098885
Visit our Social Media:
Lukardi 2022. All Rights Reserved. 
Made with