Password Policy for SAP Support Portal and SAP ONE Support Launchpad About to Change
Diesen Beitrag gibt es auch auf Deutsch.
Since the SAP Support Portal and the SAP ONE Support Launchpad became your primary access points to SAP support services, numerous applications have been migrated from the old service.sap.com infrastructure to modern systems. Only a few “niche” tools are still hosted on the legacy platform, retaining the requirement to choose a password with exactly 8 characters for them. This requirement no longer exists for the migrated applications.
Starting November 4th, 2017, you may choose a more complex, safer password. It must be at least 8 characters long – maximum length is 255 – and include three of the following: Uppercase letters, lowercase letters, numbers, symbols. The “exactly-8-characters” oddity will be a thing of the past.
Well, almost. If you happen to be one of the customers who still have to access one of the legacy tools, you must use a password that complies with the old rules, but only for these old applications.
Not for the SAP ONE Support Launchpad.
Not for the SAP Support Portal.
So why, when, and how would you come into contact with the old platform?
There are potentially two touchpoints with the service.sap.com legacy infrastructure:
First, you might enter it through your web browser (1). A few legacy applications are still referenced from the launchpad.
- Legacy incidents, access to tickets from 2014 or before;
- Legacy Service Messages, communication about a service that was delivered prior to mid-2017;
- Maintain Own Clusters or Mass Updates of Authorizations, special features to maintain your colleagues’ authorization profiles.
Second, you might connect to the legacy support platform through a support tool. The URL of the system you are connecting to and the logon credentials are not necessarily exposed, so this may even happen unwittingly:
- SAP Download Manager;
- Line Opener Program;
- RFC from an SAP Solution Manager 7.1 or older (2).
Regardless of how you access the legacy support platform, these are your options:
- You don’t do anything and continue to use your current 8-character password for the old and the new platforms. Nothing will change for you.
- You prefer to choose a new, safer password for launchpad and portal. In this case, you will end up having two separate ones: One for the new world, one (with 8 characters) for the old support platform.
SAP Support will do their best to mitigate any negative impact: In the SAP ONE Support Launchpad, whenever a link to a legacy tool is offered, a popup window will make you aware of the fact that you are about to enter the old world:
You won’t be caught on the wrong foot when you are asked to enter your password for the legacy platform, and you can reset or change it from there.
It goes without saying that SAP is committed to finalizing the migration of remaining legacy applications to the SAP ONE Support Launchpad.
(1) If you have a single sign-on certificate installed in your browser, you don’t have to enter any ID or password.
(2) Users for Support Hub Communication in SAP Solution Manager 7.2 are not affected by the new password policy, see KBA 2174416.
Hi Peter,
thank you for the nice and helpful article. Nice that the limitation of 8 digits ends with the 4th of November.
2 Questions:
Thank you!
Kind regards,
Joerg
Hello Jörg,
The maximum password length will be 255 characters. I have added this detail to the blog.
Regarding a time-line for the completion of the migration of legacy applications to the SAP ONE Support Launchpad: Our goal has always been to redesign tools wherever possible, not just “copy them over” to the new platform. Some of them (cluster maintenance) are complex, and replacing them by smarter alternatives is challenging. That’s why it takes a bit longer. Still, we expect to have this completed around mid-2018.
Best regards,
Peter
I just want to say I'm an enormous fan of this change, and I'm glad a lengthy character limit like 255 was chosen instead of a "slightly better" limit like 16. Bravo.
Hello Peter,
is this just going to change for the support portal and launchpad or sap.com (with the Community) itself, too?
Regards,
Steffi.
Hello Steffi,
This change only affects the SAP Support Portal and SAP ONE Support Launchpad. SAP.com and SAP Community already have a more modern password policy in place.
Please note that once you are signed in to one of the above mentioned websites, you are also logged on to the others thanks to single sign-on. This won't change of course.
Best regards,
Peter
"SAP.com and SAP Community already have a more modern password policy in place."
They do? I changed my password just yesterday and it was the same as ever, including "exactly 8 characters". Or is this because I have an s-user?
I think so, Steffi, yes. If you try and change a password for a P-user you get this:
Well, at least I can change my email address, right? ^^
Of course. For a p-user you'd absolutely need to. Oh, wait...
IMHO forcing the users to include symbols only leads to the password "P@ssword1" instead of "Password1". I think this comics sums it up very well.
Hi Jelena,
I like the comic.
Yes, it may be mathematically proven that correcthorsebatterystaple is a safer password than Tr0ubAdor&3 and easier to remember. But the fact that it is safer, that's mainly because it is longer. I am sure that if someone can remember correcthorsebatterystaple, they can also memorise correct.horse.battery.staple, thus increase the time it takes to guess this password by another significant factor. Today, with the exactly-8-character restriction, such a password cannot be chosen. Users are indeed forced to substitute "readable characters" by special symbols.
After November 4th it will be possible to choose a longer password. Which allows visitors to use special characters in addition to normal ones, not as substitution.
Best regards,
Peter
Hi Peter,
Is there other rules for the site: apps.support.sap.com ( Maintenance Plan ). Because , I have password length That include one Upper letter, lowercase letters, one symbol amd one number, And i can't logon to this site when i can logon to other sites: SAP Support Portal and the SAP ONE Support Launchpad.
Thank you!
Kind regards,
David.
Why so easy?
Why not make password rules with 29348701387428374 minimum characters?
Hello Peter,
you mentioned that for accessing legacy support platform an option to have two separate passwords: one for the new world, one (with 8 characters) for the old support platform.
Did I get it right that there will be two separate passwords for the same S-User? Will this also work when using certificates? I hardly can't believe.
Regards
Roland Köthnig
Hello Roland,
The "old world", service.sap.com, still only accepts passwords with 8 characters. So if you choose a new state-of-the-art password with more than 8 characters for the launchpad, you will indeed end up having 2 different passwords. Luckily, there aren't many reasons to visit service.sap.com anymore.
If you don't change the launchpad password, you can continue to use the same 8-character password for service.sap.com and the launchpad.
If browser certificates are used, you don't have to enter the password. So a new one can be chosen for the launchpad, you can continue to use the old-fashioned one for service.sap.com, but you wouldn't know as no password prompt will be shown.
Best regards,
Peter
Hi,
Is we need to change our current S-user ID password as mandatory now.
Or it's OK to continue with our old once for a while.
Hello Manoj,
You can change your password for the launchpad and choose a safer one. While this is what we recommend to do -- even though you will then have two different passwords --, you do not have to. Changing the launchpad password is not mandatory.
Best regards,
Peter
It's true that people can easily remember correct.horse.battery.staple
However that's rather irrelevant since it's not a valid password. So now they have to remember whether it's c0rrect.horse.battery.staple, corr3ct.horse.battery.staple, c0rr3ct.horse.battery.staple ...
You haven't solved the problem, you've just moved it. And by placing restrictions you *are* reducing the number of options that a brute force attacker would need to try.
Will this break SSO with an S-user?
Hi Neil,One rule in the password policy has been lifted: You don't have to choose a password with exactly 8 characters. So while the problem of choosing safe passwords that can easily be remembered hasn't been solved, it certainly was mitigated.
For instance, Correct.Horse.Battery.Staple is a password that visitors can easily remember and that meets the new password policy.
SSO with an S-user has not been affected. You can still log on to the legacy platform as well as to the launchpad if you have got a browser certificate installed. Regardless which password you'd otherwise have to use to enter these sites, an old one with 8 characters or a new, safer one.
Best regards,
Peter
Is there a password validity period, say I have to change my password once every 180 days?
Hello Jens,
The SAP ONE Support Launchpad does not require you to change your password on a regular basis, nor does the SAP Support Portal.
However, as far as I know, some SAP websites do. As you are using the same S-user ID/ password combination for different SAP websites, it could be that you are asked to change your password, for instance when you enter the SAP Community. (I think the SAP Community password policy requires a new password every six months. But take this with a grain of salt: I am not an SAP Community expert.)
Best regards,
Peter
Thanks, that's in line with the mixed answers I got when asking some colleagues. I was pretty sure I had to change S-User password every six months, however another team member stating he'd never had to change password (and he's no community member).
So thanks again