Skip to Content
avatar image
Former Member

Possibility to allow only digit based passwords in NetWeaver ABAP

Hi,

Is it possible to setup up the password rules for NetWeaver ABAP, so that it's only possible to have password with digits?

Based on the password rules here https://help.sap.com/saphelp_nw70ehp1/helpdata/en/d2/141fb593c742b5aad8f272dd487b74/content.htm it ought to be possible.

For a six-digit password I would try:

login/min_password_lng = 6

login/min_password_digits=6

login/min_password_letters=0

login/min_password_specials=0

login/min_password_lowercase=0

login/min_password_uppercase=0


Any one tried this before?

Regards

Dagfin

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Oct 01, 2014 at 10:30 AM

    You can't do it just by setting minima. Your rules above allow me to have "123456abc" as a password. You need to be able to set maxima also, and there are no such parameters. As far as I know there are no user exits that happen at the right time either. I don't think there's a way to do what you want.

    Steve.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 01, 2014 at 09:35 PM

    Hi,

    why do you want to restrict only to numbers? Is it for mobile apps? You can allow passwords only with digits but why would you disable other characters?

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      if you can guarantee that users won't be able to access system other way than via mobile app then you can create a custom app that will allow users to set password with digits only.

      Another approach that I have seen is that a mobile app allows to set pin code. A user logs on for the first time with username/password and then she is prompted to choose a pin. The chosen pin is used to encrypt original password. Whenever pin code is entered the mobile app decrypts password stored in local storage, makes a HTTP call with HTTP authentication to get a session cookie and then all following calls use the session cookie. The app can wipe out encrypted password after x failed attempts to enter pin code. In that case the user must enter password again. The only disadvantage of this approach is that password is stored in local storage. It's encrypted but with a simple key so enumeration of all keys is possible. An attacker with access to phone will be able to get it. So it depends on your risk profile if this is an issue or not.

      Cheers