If you ask my opinion SAP have gone silly with their service market place password restrictions for "S" numbers.
The following lists the "MUST" Criteria and my comments as to why this is just plain silly
- Be 8 characters long
- ===>>> Must be 8 Characters long, not only does that limit password entropy which is where real security comes from it is like hanging out a big flag to crackers, hey, you don't have to worry about brute force for any other length than 8 chars, and guess what password is 8 chars, oh Password !!!! Is your Char field only 8 char's long? what happens if I try to put more than 8 in it??
- Include at least one letter (a-z, A-Z) and one number (0-9). Note: the password is not case-sensitive
- ===>>> What??? The password is NOT Case-sensitive???????
- Include at least one special character from the following set: ! \ " @ $ % & / ( { [ ] } ) + - * = ? ' ~ # _ . , ; : < >
- ====>>> Limiting my ASCII set, so now not only do I know what your program is looking for programmatically you have limited my password strength possibilities
- Not contain any blanks
- ===>>> Why NOT? another something crackers can eliminate from their brute force attacks, and not only that you have given hints that your software cannot handle spaces, that might produce interesting results..... Given we assume SAP runs SAP can we then assume that all Netweaver stack's hold this kind of susceptibility?? not saying it does, but maybe it does given you have to legislate against it
- Not start with ? or !
- =====>>>> Why NOT? afraid of SQL injection maybe? just given crackers more clues as to your password strength rules and a possible knowledge that you are not handling attacks very well??? are you taking a POST with a ? in it that does interesting stuff? just raising the question ....
- Not begin with 3 identical characters
- ====> Great, 8 chars and cannot have 3 identical chars at the start, more I can eliminate from a brute force dictionary
- Be different from the last 5 passwords
- ===>>> Someone please explain how Passwork is more secure than Passworj than Passworh than Passworg than Passworf than Password Please do so !!!!!
Call me a cynical old admin but really, I have never seen such a long ridiculous rule set for passwords that adds absolutely no value to your password policy, in fact it significantly detracts from it!!!