Hardcore Password Rules
Posted by
Admin at
Share this post:
|
When an administrator creates a user account he assigns an initial password that has to be changed immediately when used for the first time.
When an administrator creates a user account (of type DIALOG or COMMUNICATION, see note 622464) he assigns an initial password that has to be changed immediately when used for the first time.
Note: The lifetime of initial passwords can be restricted (see notes 379081 and 450452).
Passwords reset by the administrator also need to be changed by the user on the next subsequent (interactive) logon.
Note: The lifetime of reset passwords can be restricted (see notes 379081 and 450452).
The default minimum length for passwords is 3. You can change this value with the profile parameter login/min_password_lng.
The maximum length is 8.
Passwords cannot have the symbols ""?"" or ""!"" as the first character.
The first 3 characters cannot occur in the same order in the user ID.
Note: As of Release 6. 10 (Web Application Server) this rule has been removed. It will only be checked in all releases up to 4.6D.
The first 3 characters cannot be identical.
The first three characters cannot contain space characters.
Note: As of Release 6. 10 (Web Application Server) this rule has been removed. It will only be checked in all releases up to 4.6D.
The password cannot be ""PASS"" or ""SAP*"".
The administrator can define patterns of ""illegal passwords"" (USR40).
You can use all characters from the syntactical character set, that is, all letters, figures, and some special characters.
Note: As of Release 6. 10 (Web Application Server) the password rules have been enhanced. It is then possible to define the minimal numbers of digits / characters / special characters that have to occur in new passwords:
login/min_password_digits
login/min_password_letters
login/min_password_specials
The system does not distinguish between upper and lower case.
The password can only be changed by the user after entering the correct old one.
Note: Prior to Release 6. 20 (Web Application Server) the password can only be changed during the course of logging on. As of Release 6.20 the password can be changed using the menu path ""System > User Profile > Own Data"" (SU3).
The new password must differ from the old password by at least one character (i.e. they cannot be identical).
Note: As of Release 6. 10 (Web Application Server) the minimum number of characters which differ between old and new password can be customized (login/min_password_diff).
The last 5 passwords that have been chosen by the user are stored in a user-specific password history and cannot be reused.
Note: The size of the password history is static (5) and cannot be customized.
The password can be changed by the user at most once a day. This rule prevents users from bypassing the password history rule.
Note: The administrator can reset user passwords at any time.
Changed password rules do not affect old passwords; password rules will only be evaluated at the moment the password change takes place.
As of Release 6.10 function module PASSWORD_FORMAL_CHECK can be used to determine whether a given string is compliant to the current password rules.
Keyword: BASIS
Title : Hardcore Password Rules