SAP System Parameters which can prevent Password Cracking in SAP

Several SAP system parameters can help prevent password cracking in your SAP system. Here are some key ones:

Enforcing Strong Passwords:

• login/min_password_lng: This parameter sets the minimum password length. SAP recommends a minimum of 8 characters.
• login/min_password_lowercase, login/min_password_uppercase, login/min_password_digits, login/min_password_letters, login/min_password_specials: These parameters define the minimum number of lowercase letters, uppercase letters, digits, any letters, and special characters required in a password. Enforcing a combination of these character types increases password complexity.

Password Hashing Algorithm:

• login/password_hash_algorithm: This parameter determines the algorithm used to store passwords. SAP recommends using PWDSALTEDHASH, which is the strongest option and employs salted hashes. Salted hashes make password cracking significantly more difficult.

Disallowing Weak Hashes:

• login/password_compliance_to_current_policy: Setting this parameter to 1 prevents users from logging in with passwords stored using older, weaker hashing algorithms. However, this requires cleaning up any existing weak hashes first. Use the SAP program CLEANUP_PASSWORD_HASH_VALUES for this purpose (refer to SAP note 2845609 for details).

Limiting Login Attempts:

• login/fails_to_session_end: This parameter defines the number of failed login attempts allowed before the user session is terminated. This helps prevent brute-force attacks.
• login/fails_to_user_lock: This parameter sets the number of failed login attempts before the user account is locked.

Password Dictionary and Exceptions:

• login/password_charset: This parameter controls the allowed characters in passwords. While the most secure option (0) offers limited backwards compatibility, enforcing strong password complexity rules is crucial regardless of the chosen value.
• Table USR40: This table allows you to define patterns for disallowed passwords. This helps prevent users from choosing easily guessable passwords or those found in leaked password lists.

Additional Security Measures:

• Implement Multi-Factor Authentication (MFA) to add an extra layer of security beyond just passwords.
• Regularly update your SAP system with the latest security patches.

Remember, these parameters work best when implemented together as part of a comprehensive SAP security strategy. Refer to SAP documentation for detailed information on configuring these parameters and best practices for securing your SAP system.