new Password Rules

Overview of the improvements and changes in password rules or logon procedures that are delivered with Web AS ABAP 7.00 or NetWeaver 2004s

• Passwords: Differentiation between upper and lower case; maximum length increased from eight to forty characters
  For new passwords, the system distinguishes between upper and lower case ; in addition, passwords can now consist of up to forty characters (up until now, the maximum has been eight characters). In newly-installed systems, this applies immediately to all users; in systems that have been upgraded to Web AS ABAP 7.00 or NetWeaver 2004s from an earlier release, we have ensured that all users can continue to log on using their old password. Information that tells the system whether a user has a new password or a password of the old type is stored in the user master record; this information is analyzed when the system checks the password: if the user has a password of the old type, the system converts the first eight characters of the password into upper case; the remaining thirty-two characters must be spaces. Otherwise, the password is analyzed in its entirety and without being converted into upper case. In Unicode systems, you can use Unicode characters in passwords.
  
  Relevant (new) profile parameters:

• login/min_password_lowercase

• login/min_password_uppercase

• login/password_downwards_compatibility

• Password history: size can now be defined as required (it used to be limited to five entries)
  The passwords that the user has assigned in the course of a password change are stored in the password history (passwords set by the user administrator are not stored in the password history). The system prevents the user from reusing previously-used passwords. The password history used to be limited to five entries; you can now define the size of the password history (maximum value: 100 entries) using a profile parameter (login/password_history_size).

• Lock period for password change can be selected (it used to be limited to one day)
  To prevent the password history from being bypassed, a user may only change his or her password again after the lock period has passed (exception: the user is asked to change the password by the system). You can now select this lock period using the profile parameter login/password_change_waittime (maximum value: 1000 days).

• (Advance) password change with stricter password rules
  You can now set the system so that it asks only users whose current password no longer satisfies the current (stricter) password rules to change their password (in advance). To do this, set the profile parameter login/password_compliance_to_current_policy = 1.

• Validity period of unused passwords can be restricted
  Passwords that are not used by the authorized user are a security risk. For this reason, you are now able to restrict the validity period of these passwords; here, the system distinguishes between initial passwords (that is, passwords that are assigned by the user administrator and that are to be changed by the user at the next opportunity) and non-initial passwords (that is, passwords that have been set by the user). (Technical) users of the type SERVICE and SYSTEM are exempt from this regulation.
  
  Relevant (new) profile parameters:

• login/password_max_idle_initial

• login/password_max_idle_productive

• Logon: Compromising error messages are avoided
  If you attempt to log on using incorrect logon data, the system now only issues the generic error message "Name or password is incorrect" as a rule; further reasons for failed logons (for example, locked user accounts, user account is outside validity period, and so on) are only given in detail when valid logon data has been passed. Error scenarios in which the system could not check the logon data, or where no further check is allowed are the exceptions to this rule:

• "User has no password - logon using password is not possible"

• "Password logon no longer possible - too many failed attempts"

• The default values of certain profile parameters that are relevant to security have been changed:

• login/failed_user_auto_unlock : 0 (instead of 1)
  Locks for failed logon attempts remain valid for an unlimited period.

• login/fails_to_user_lock : 5 (instead of 12)
  The lock for failed logon attempts is set after five failed passwordlogon attempts.

• login/no_automatic_user_sapstar : 1 (instead of 0)
  The emergency user must be activated explicitly.

• login/min_password_lng : 6 (instead of 3)
  Passwords must consist of at least six characters.

• login/ticket_expiration_time : 8 (instead of 60)
  Logon tickets are only valid for eight hours.

• The profile parameters login/password_max_new_valid and login/password_max_reset_valid have been replaced by the profile parameter login/password_max_idle_initial, which means that the system no longer distinguishes between the first and the subsequent setting of a password by the user administrator regarding the restriction of the validity of the resulting initial passwords.