Skip to Content

Diesen Beitrag gibt es auch auf Deutsch.

Since the SAP Support Portal and the SAP ONE Support Launchpad became your primary access points to SAP support services, numerous applications have been migrated from the old service.sap.com infrastructure to modern systems. Only a few “niche” tools are still hosted on the legacy platform, retaining the requirement to choose a password with exactly 8 characters for them. This requirement no longer exists for the migrated applications.

Starting November 4th, 2017, you may choose a more complex, safer password. It must be at least 8 characters long – maximum length is 255 – and include three of the following: Uppercase letters, lowercase letters, numbers, symbols. The “exactly-8-characters” oddity will be a thing of the past.

Well, almost. If you happen to be one of the customers who still have to access one of the legacy tools, you must use a password that complies with the old rules, but only for these old applications.

Not for the SAP ONE Support Launchpad.
Not for the SAP Support Portal.

So why, when, and how would you come into contact with the old platform?

There are potentially two touchpoints with the service.sap.com legacy infrastructure:

First, you might enter it through your web browser (1). A few legacy applications are still referenced from the launchpad.

  • Legacy incidents, access to tickets from 2014 or before;
  • Legacy Service Messages, communication about a service that was delivered prior to mid-2017;
  • Maintain Own Clusters or Mass Updates of Authorizations, special features to maintain your colleagues’ authorization profiles.

Second, you might connect to the legacy support platform through a support tool. The URL of the system you are connecting to and the logon credentials are not necessarily exposed, so this may even happen unwittingly:

  • SAP Download Manager;
  • Line Opener Program;
  • RFC from an SAP Solution Manager 7.1 or older (2).

Regardless of how you access the legacy support platform, these are your options:

  1. You don’t do anything and continue to use your current 8-character password for the old and the new platforms. Nothing will change for you.
  2. You prefer to choose a new, safer password for launchpad and portal. In this case, you will end up having two separate ones: One for the new world, one (with 8 characters) for the old support platform.

SAP Support will do their best to mitigate any negative impact: In the SAP ONE Support Launchpad, whenever a link to a legacy tool is offered, a popup window will make you aware of the fact that you are about to enter the old world:

You won’t be caught on the wrong foot when you are asked to enter your password for the legacy platform, and you can reset or change it from there.

It goes without saying that SAP is committed to finalizing the migration of remaining legacy applications to the SAP ONE Support Launchpad.


(1) If you have a single sign-on certificate installed in your browser, you don’t have to enter any ID or password.
(2) Users for Support Hub Communication in SAP Solution Manager 7.2 are not affected by the new password policy, see KBA 2174416.

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Jörg Edinger

    Hi Peter,

    thank you for the nice and helpful article. Nice that the limitation of 8 digits ends with the 4th of November.

    2 Questions:

    • is there a limitation of digits for the new passwords? if so, how much digits are possible?
    • Is there a time horizon for the complete migration of the legacy applications?

    Thank you!

    Kind regards,

    Joerg

    (0) 
    1. Peter Kappelmann Post author

      Hello Jörg,

      The maximum password length will be 255 characters. I have added this detail to the blog.

      Regarding a time-line for the completion of the migration of legacy applications to the SAP ONE Support Launchpad: Our goal has always been to redesign tools wherever possible, not just “copy them over” to the new platform. Some of them (cluster maintenance) are complex, and replacing them by smarter alternatives is challenging. That’s why it takes a bit longer. Still, we expect to have this completed around mid-2018.

      Best regards,
      Peter

      (0) 
      1. Guyon Cumby

        I just want to say I’m an enormous fan of this change, and I’m glad a lengthy character limit like 255 was chosen instead of a “slightly better” limit like 16. Bravo.

        (0) 
    1. Peter Kappelmann Post author

      Hello Steffi,

      This change only affects the SAP Support Portal and SAP ONE Support Launchpad. SAP.com and SAP Community already have a more modern password policy in place.

      Please note that once you are signed in to one of the above mentioned websites, you are also logged on to the others thanks to single sign-on. This won’t change of course.

      Best regards,
      Peter

      (0) 
      1. Steffi Warnecke

        “SAP.com and SAP Community already have a more modern password policy in place.”

        They do? I changed my password just yesterday and it was the same as ever, including “exactly 8 characters”. Or is this because I have an s-user?

        (0) 
    1. Peter Kappelmann Post author

       

      Hi Jelena,

      I like the comic.

      Yes, it may be mathematically proven that correcthorsebatterystaple is a safer password than Tr0ubAdor&3 and easier to remember. But the fact that it is safer, that’s mainly because it is longer. I am sure that if someone can remember correcthorsebatterystaple, they can also memorise correct.horse.battery.staple, thus increase the time it takes to guess this password by another significant factor. Today, with the exactly-8-character restriction, such a password cannot be chosen. Users are indeed forced to substitute “readable characters” by special symbols.

      After November 4th it will be possible to choose a longer password. Which allows visitors to use special characters in addition to normal ones, not as substitution.

      Best regards,
      Peter

      (0) 
  2. Former Member

     

    Hi Peter,

    Is there other rules for the site: apps.support.sap.com ( Maintenance Plan ). Because , I have password length That include one Upper letter, lowercase letters, one symbol amd one number, And i can’t logon to this site when i can logon to other sites: SAP Support Portal and the SAP ONE Support Launchpad.

    Thank you!

    Kind regards,

    David.

    (0) 
  3. Mikhail Alterman

    Why so easy?

    Why not make password rules with 29348701387428374 minimum characters?

    Why not lock user passwords randomly and hide rules when/how passwords get locked and unlocked?  Better yet:  
    
    
    Why not lock out users from support altogether like when SAP locked out all Business Objects customers when it took over?

     

     

    (0) 
  4. Roland Koethnig

    Hello Peter,

    you mentioned that for accessing legacy support platform an option to have two separate passwords: one for the new world, one (with 8 characters) for the old support platform.
    Did I get it right that there will be two separate passwords for the same S-User? Will this also work when using certificates? I hardly can’t believe.

    Regards
    Roland Köthnig

     

    (0) 
    1. Peter Kappelmann Post author

       

      Hello Roland,

      The “old world”, service.sap.com, still only accepts passwords with 8 characters. So if you choose a new state-of-the-art password with more than 8 characters for the launchpad, you will indeed end up having 2 different passwords. Luckily, there aren’t many reasons to visit service.sap.com anymore.

      If you don’t change the launchpad password, you can continue to use the same 8-character password for service.sap.com and the launchpad.

      If browser certificates are used, you don’t have to enter the password. So a new one can be chosen for the launchpad, you can continue to use the old-fashioned one for service.sap.com, but you wouldn’t know as no password prompt will be shown.

      Best regards,
      Peter

      (0) 
    1. Peter Kappelmann Post author

      Hello Manoj,

      You can change your password for the launchpad and choose a safer one. While this is what we recommend to do — even though you will then have two different passwords –, you do not have to. Changing the launchpad password is not mandatory.

      Best regards,
      Peter

      (0) 
  5. Former Member

    It’s true that people can easily remember correct.horse.battery.staple

    However that’s rather irrelevant since it’s not a valid password.  So now they have to remember whether it’s c0rrect.horse.battery.staple, corr3ct.horse.battery.staple, c0rr3ct.horse.battery.staple …

    You haven’t solved the problem, you’ve just moved it.  And by placing restrictions you *are* reducing the number of options that a brute force attacker would need to try.

    Will this break SSO with an S-user?

    (0) 
    1. Peter Kappelmann Post author

       

      Hi Neil,One rule in the password policy has been lifted: You don’t have to choose a password with exactly 8 characters. So while the problem of choosing safe passwords that can easily be remembered hasn’t been solved, it certainly was mitigated.

      For instance, Correct.Horse.Battery.Staple is a password that visitors can easily remember and that meets the new password policy.

      SSO with an S-user has not been affected. You can still log on to the legacy platform as well as to the launchpad if you have got a browser certificate installed. Regardless which password you’d otherwise have to use to enter these sites, an old one with 8 characters or a new, safer one.

      Best regards,
      Peter

      (0) 

Leave a Reply