Do you use a password to login to SAP systems?
Which are the most obvious cases which you should pay attention to?
Every day you define (some more, some less) users in the system. You receive from human resources a notification or in other ways, such as through a ticket, the users that need to be created.
Instead if you use a system such as SAP GRC Access Control or Identity Management You might not have this issue.
In these cases an automatic or manual workflow is activated to create new users in the various systems, including SAP.
At the end of the process, the new user, to be able to connect itself needs to know its credentials, meaning username and password.
One of the first aspects to inquire about is how they are given this password. Often this aspect is related to the next point.
Which initial password do you choose? This is one of the most important aspects which is often underestimated.
Which are the most common passwords? Maybe defined during the initial steps of the project?
If you use a similar technique to the above, then you should review this aspect.
What are the risks?
For the above reasons, SAP has introduced a pop-up alert during the logon if there are multiple incorrect logon attempts.
To see logon attempts take a look at the following note: OSS 2322332 - Number of failed password logon attempts.
If I try to login with wrong SAP credentials, the following error will show up:
After the following correct logon I will see the following message:
By default the initial password has no expiration date, however through the SAP login/password_max_idle_initial instance profile you can insert the number of days for the password validity.
Passed the defined number of days the password will be disabled and therefore the user (even if he knows the password) will not be able to access the system.
Even if not directly connected to the initial password aspects, there is a way to make a password expire, even the production one (even if changed by the user) in case of no logon for a certain period of time.
This parameter is called login/password_max_idle_productive. In this case I could insert a value lower than the mandatory password change (if I use this technique)
A further focus point regards the system copy. Or if your user has the same password in different systems. Why could this be a risk?
If you don't have tools such as SAP GRC Access Control or Identity Management solutions, then you can directly use the standard SAP functionality of automatic password generation.
This tool, located in the "Logon Data" tab in the SU01 transaction (the transaction for the management of all SAP users) it enables you to generate passwords.
By default SAP generates a password with the highest possible complexity, therefore with 40 characters, numbers, letters (lower case or upper case) and special characters too.
You can personalize the behavior of this transaction inside the PRGN_CUST table (through the SM30 transaction) using the following customizing switch:
Maximum number of digits in the generated password
Maximum number of letters in the generated password
Maximum number of special characters in the generated password
Maximum length of the generated password