cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Your password is not secure enough!"

Go to solution
Lukas_Weigelt
Active Contributor

on ‎02-20-2015 11:07 AM

0 Kudos

Hi folks,

>> Opening SCN, SSO seems not to work, clicking on "Log On"

>> "SAP Identity Cloud says your Password is not secure enough, please change it now"

>> Guidelines: Your new password must be exactly 8 characters long....

>> 8 characters

>> 8

>> not secure enough, must be exactly 8 characters

So, hands up, kids, who wants to be brute-forced first? I assume I'll need a little less than three weeks for any of you (including myself)...

Cheers, Lukas

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

oliver
Product and Topic Expert
Product and Topic Expert
‎02-23-2015 1:20 PM
0 Kudos

Hi Lukas,

the ancient password requirements come from the fact, that this is an s-user and the user is managed by the Service Marketplace. Because this is still a fairly old R/3 based system, these password requirements still exist there.

For one, there is a protection against brute force attacks, where some amount of failed login requests will block the ability to login for a day or so (don't have specific info on this).

Second, there is an upgrade of SMP in the work, which will hopefully bring the password requirements to the latest standards.

Best,

  Oliver

Show replies
Show replies
Lukas_Weigelt
Active Contributor
‎02-23-2015 3:12 PM
0 Kudos 




Second, there is an upgrade of SMP in the work, which will hopefully bring the password requirements to the latest standards.

Now that's good news! 😆

Matt_Fraser
Active Contributor
‎03-09-2015 4:06 PM
0 Kudos

Ah, so that's why the enforcement of exactly 8 characters (the most supported by old R/3 systems), and the lack of case-sensitivity in the midst of requiring letters, numbers, and special characters. I always thought that exact requirement of 8 characters was odd, but now it's making sense. The last time I changed my SCN/SMP password I kept providing something more than 8 characters and couldn't figure out why it wasn't working.

Former Member
‎03-09-2015 4:17 PM
0 Kudos

Yup, good old R/3 is still hiding in the background there. All this shiny web-based service marketplace stuff is just lipstick...

Steve.

Answers (2)

Answers (2)

former_member186746
Active Contributor
‎02-20-2015 12:36 PM
0 Kudos

http://xkcd.com/936/

Sums up perfectly, everything that is wrong with using stringent password requirements.

Show replies
Show replies
Former Member
‎02-22-2015 11:01 PM
0 Kudos

I like the ability to use a pass phrase instead of a pass word.

Rapidly increases the entropy of the pass-code as long as it does not decrease the collision rate with the one-way-hash, in the case that it is extracted and salts are not used to make it useless information.

But regardless of the strength of the password, I still shudder most at the "password reset services" which return the same initial password or return the clear text password to you for the "ah ha" moment (so that you are not confronted by it when changing the password because it was the previous one as well - the one you could not remember...). This means that the password storage is reversible or sufficient information is transferred in application programs for an admin to be able to snatch the clear text password of all users. That should simply not be possible and not supported as application users do not have any contracts and NDA agreements with system admins and service providers and their admins.

In this latter case it really does not matter much what your password is.

Cheers,

Julius

Former Member
‎03-08-2015 10:49 AM
0 Kudos

With an attack running through dictionaries, I guess it is more like 4-bit entropy.

Steffi_Warnecke
Active Contributor
‎02-20-2015 12:15 PM
0 Kudos

Yeah, those password settings are rather strange. I remember cursing it, when I tried to change my password some months back and had to keep making it simpler. That was fun...

Show replies
Show replies
Lukas_Weigelt
Active Contributor
‎02-20-2015 12:30 PM
0 Kudos

At least this shameful password system is genuinely and openly published, i.e. I'm openly told it's insecure and easily crackable. Much unlike amazon 10 years or so ago, when you could input passwords up to 30 characters but only the first 5 where actually considered, checked and written to the system.

Still, meh.

Former Member
‎02-20-2015 12:54 PM
0 Kudos

Actually it was by default like that in SAP as well until a while ago and changed only for new installations. Password compatibility with legacy system truncated the password at the 8th character and converted alphabetical characters to upper case.

Perhaps a 4.6C system is still in the SCN infrastructure as middleware and hence the backward compatibility is needed?

Cheers,

Julius

Ask a Question