Solved: Sap Logon password Length

Former Member · ‎08-16-2007

Hi All,

In ECC6.0 when a user is setup there is a option which says password needs to be > 6. But there is no restriction on the max length .

We would like to restrict the password length to 8.

When initially user created basis sets it to 8 chars in length.

User can always click on new password and change password. When he does that and clicks on enter I wuld like to check the length of the new pwd and error a message if password > 8.

Could anyone help me in this as to how to go about it.

for logon screen there is only one user exit.. can i check it here? i do not know which is the table of structure the values are stored .

WolfgangJanzen · ‎08-20-2007

Why do you want to restrict the password length?

There can only be one reason: you have older systems in your landscape which do not support passwords which contain more than 8 characters and you want to synchronize the passwords across all systems.

Well, such an approach is subject to failure for multiple reasons:

1. restricting the passwords to 8 characters is not sufficient; length-restricted passwords can still contain lower-case characters and therefore be downwards-incompatible (see <a href="https://service.sap.com/sap/support/notes/1023437">SAP Note 1023437</a>)

2. password policies (including: password history) are system-specific; passwords which are accepted by one system might be rejected by another one; some systems might be unavailable at the point of time the password change was performed; they will run out of synch; even if all systems are available, the synchronization itself takes some time; during that time password-based logon requests will fail potentially resulting in a password lock (all that is described in <a href="https://service.sap.com/sap/support/notes/376856">SAP Note 376856</a>).

As explained in <a href="https://service.sap.com/sap/support/notes/1023437">SAP Note 1023437</a> it is possible to instruct an NWAS ABAP to create only downwards-compatible passwords (starting from the moment when passwords are changed / set while profile parameter login/password_downwards_compatibility is set to value 5). This then effects the UIs where you can enter new passwords - but not the ones where you enter the old password (since the old password might have been set / changed while login/password_downwards_compatibility < 5); that's at least true for the SAPGUI logon and for web-based access when using the "System Logon" (see <a href="https://service.sap.com/sap/support/notes/978885">SAP Note 978885</a>).

Cheers, Wolfgang

Former Member · ‎08-16-2007

I think for this you need help from an ABAP developer, the question may be better in the 'ABAP Development forum'.

However as this is not supplied by SAP and is not required from an Audit point of view, can i ask why you require this functionality. I think if it is not available we have to question our intentions to some intent, without saying it is incorrect as there are lots of valid reasons for user exits etc.

Hope this helps.

Regards

Ashley

Former Member · ‎08-16-2007

thanks for replying and apologies for posting it in the wrong area ... I did not notice it until mentioned...

well its a business requirement as we have portals and few more internal sites were pasword which are restricted to 8. maintaining consistency is the only way to avoid discrepency

Former Member · ‎08-16-2007

No problem, so its an organizational policy which is understandable as you say consistency does away with any ambiguity.

I would suggest you talk with an ABAP Developer to identify a User Exit or similar solution to your issue. Otherwise i am not aware of a solution available for this issue.

Sorry i could not help more.

Regards

Ashley

Former Member · ‎08-16-2007

You can use parameter login/password_downwards_compatibility to force max 8 char passwords.

Read the following blog for more info on password related parameters: https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/2574. [original link is broken] [original link is broken] [original link is broken]

Keep in mind when changing the compatibility parameter for shorter passwords it's may change how the hash values work along with other password related issues.

Cheers,

Ben

Former Member · ‎08-16-2007

Hello ,

I think like this..your purpose will solve...

In RZ11....login/min_password_lng

Here it has some minimum and maximum passwd length..put your required max pass length...

The tables related..to users..are..

All user info. USR02

All user passwd restrictions USR40

User Profiles USR10

User Authorizations USR12

User history tables USH02

List of All Tables DD02L

I hope this information will help you...!!

Note: Points always encourage me to reply !!

Former Member · ‎08-17-2007

Hello,

You want that user must enter the 8 length password. right??

if it is so then set the login/min_password_lng to 8 and u r problem solved.

Regards,

kamlesh

Former Member · ‎08-20-2007

Thanks all for ur efforts ...

Well we are able to restrict password to 8 in pwd settings but sap logon screen does not adjust the password INPUT FIELD SIZE TO restrict it to 8.. there the user can enter more .. and it then ends in he not being able to login ..

Former Member · ‎02-23-2016

This message was moderated.

WolfgangJanzen · ‎08-20-2007

Why do you want to restrict the password length?

There can only be one reason: you have older systems in your landscape which do not support passwords which contain more than 8 characters and you want to synchronize the passwords across all systems.

Well, such an approach is subject to failure for multiple reasons:

1. restricting the passwords to 8 characters is not sufficient; length-restricted passwords can still contain lower-case characters and therefore be downwards-incompatible (see <a href="https://service.sap.com/sap/support/notes/1023437">SAP Note 1023437</a>)

2. password policies (including: password history) are system-specific; passwords which are accepted by one system might be rejected by another one; some systems might be unavailable at the point of time the password change was performed; they will run out of synch; even if all systems are available, the synchronization itself takes some time; during that time password-based logon requests will fail potentially resulting in a password lock (all that is described in <a href="https://service.sap.com/sap/support/notes/376856">SAP Note 376856</a>).

As explained in <a href="https://service.sap.com/sap/support/notes/1023437">SAP Note 1023437</a> it is possible to instruct an NWAS ABAP to create only downwards-compatible passwords (starting from the moment when passwords are changed / set while profile parameter login/password_downwards_compatibility is set to value 5). This then effects the UIs where you can enter new passwords - but not the ones where you enter the old password (since the old password might have been set / changed while login/password_downwards_compatibility < 5); that's at least true for the SAPGUI logon and for web-based access when using the "System Logon" (see <a href="https://service.sap.com/sap/support/notes/978885">SAP Note 978885</a>).

Cheers, Wolfgang

Former Member · ‎08-20-2007

we have set Downward compatibilty has been set to - 5

Well i would just like to make myself more clear with a scenario:

1. I created a user called "testuser" with initial password as "password".

2. testuser logs into r/3 now and changes the password to "changedpass123",even though the inout box is only 8 characters long , he can till enter THIS "changedpassword123" and log into system .

3. then he logs out and logs in again , system does not allow him in.System only excepts "testuser/changedp", the 8-char pwd.

4. Now this is a problem since user was allowed to change pwd for more than 8 he now expects to login the same way ...

Hope i am clear now.I have found a blog as well with a similar issue .. but unfortunately no solution to it

WolfgangJanzen · ‎08-20-2007

I only have 2 questions:

Which UI are you using to change the user's password (in step 2 of your description)?

What is the value of login/password_downwards_compatibility (SA38 -> RSPARAM)?

Former Member · ‎08-20-2007

1.User clicks on SAPLOGOn PAD and clicks on change Password.

2. Downward Compatibility Value - 5

WolfgangJanzen · ‎08-20-2007

I've just verified it again:

(1) start application server with login/password_downwards_compatiblity = 5

(2) logon with SAPGUI, change password: -> password field is only 8 characters long; I have to enter the new password twice; if I enter "abcd12345678" into the first field and "abcd1234" into the second field, the check whether both values are identical succeeds - the effective password value is "ABCD1234" (case-insensitive!)

(3) logoff

(4) logon again - try with password "abcd12345678": fails

(5) logon - try with password "aBcD1234": succeeds

That's confirming my previous statements.

If your system shows a different behavior, kindly submit a support report describing in detail how to reproduce the problem. Ideally you can enable a remote connection to your system so that SAP can analyse the problem in your system.

Best regards, Wolfgang

Former Member · ‎08-21-2007

Thanks for the reply ,

You are absolutely right as thats exactly what we have observed . But the problem is when the users try to change password to "abcd12345678".

LogOFF and login again they type in abcd12345678( whereas sap has only accepted abcd1234) . Why should they try 8 chars?.. their thoughts are that if they have entered abcd12345678 and sap accepted it as the password then why isnt it allowing them to login ..?

SAP should not have allowed to enter such a big password if it will not accept(based on settings) .. This is clearly MISLEADING .. we cannot explain this to the users .. they wont accept.

shouldnt it be that the user pwd is not accepted if it does not match the download compatibility settings for the system.

This is what i am trying to find out.

WolfgangJanzen · ‎08-21-2007

I think I got the point, now.

You are "complaining" about the fact that the input field is limited to 8 characters but that there is no acustical / optical feedback when a user is trying to enter more characters into an input field - exceeding the defined boundaries.

Well, that's an issue effecting the user agent (here: SAPGUI).

Actually that effects all input fields - not only those for passwords.

However, since passwords are entered "blindly" users will not obtain an "optical feedback" that the characters they have entered are no longer entered into the field.

My proposal: SAPGUI should display a "tooltip" information (i.e. an optical information that occurs right next to the effected input field) once the end of a hidden input field is reached.

Open issue: how can the very same be implemented for HTML rendered forms? (I'm not familiar whether there is a event which could be caught and handled by some Javascript coding).

Former Member · ‎08-21-2007

well when i was coding in HTML looong time back there we had the option to set the length of the input field as well ..

so that it does not allow user to enter more than the defined length.

Well so do I assume there is no solution to this issue?

Former Member · ‎08-21-2007

Is there no solution for this issue ?

WolfgangJanzen · ‎08-21-2007

> well when i was coding in HTML looong time back there we had the option to set the length of the input field as well ..

> so that it does not allow user to enter more than the defined length.

That's not the point. The length of the dynpro input field is also restricted - but since the password is entered "blindly" (the entire field is displayed with ********) the user will not receive any feedback on how many characters he has typed in.

> Well so do I assume there is no solution to this issue?

Looks like - at least there is no instant solution respectively I'm not aware of any.

Former Member · ‎08-21-2007

thank you for all your help . I am now confident of replying back to business that there cannot be any restrictions forced on the password field .

Thanks once again .

I would be closing this query . Thank you

WolfgangJanzen · ‎08-21-2007

Well, maybe it helps if you change the settings of SAPGUI:

at "Options" you can change the "Cursor" behavior. If I'm not wrong then enabling the option "Automatic Tabbing at End of Field" would offer a solution to your problem.

Former Member · ‎08-21-2007

Nice one Wolfgang! I didn't know that setting.

Sorry to sound pesimistic, there is a small downside of that solution as the user already has the habit of not watching the screen to see where it ends (mostly likely watching the keyboard, particularly so if the current input screen field is "blind") and spelling mistakes are not tolerated...

The user might logon in a language which they themselves don't speak, but the screen audience can potentially "understand" a little bit of, such as '56' in your examples...

Of course using strong passwords mitigates that risk.

Cheers,

Julius

WolfgangJanzen · ‎08-21-2007

Well, that's the only instant solution I've found.

If one is interested in a better solution (which however requires to patch the SAPGUI) you are invited to submit a correction / feature request (on component BC-FES-GUI) to SAP.

> [...] as the user already has the habit of not watching the screen to see where it ends (mostly likely watching the keyboard, particularly so if the current input screen field is "blind") [...]

Well, that indicates that we require an acoustic signal (when the end of an "hidden" input field is reached). But since we also might have users with "acoustic handicaps" we definetly need an optical signal (e.g. "tooltip") in addition.

Best regards, Wolfgang

PS: for those who have been wondering about Julius' comment regarding "'56' in your examples" (I also have been puzzled for a while, to be frank): he was referring to the example I gave ("abcd12345678" -> "ABCD1234"), showing that "56" (and every character that follows after the 8th character) was truncated / ignored).

Former Member · ‎08-22-2007

Thanks for all your suggestions .

krishnachaitanyas · ‎05-26-2020

use the table PRGN_CUST and add the parameter GEN_PSW_MAX_LENGTH with the value 8 or desired number this would ensure to generate the right password.