Strengthening SAP System: Implementing a Robust Password Policy
There were 1,802 publicly reported data breaches in 2022 affecting 422.1 million people. Credentials are exposed with every breach, putting corporate and personal accounts at risk.
Last year alone, 1.7 billion credentials were exposed in data breaches and traded on the darknet. Additionally, 27.36 million corporate email addresses and plaintext passwords are added to our dataset, according to a Cybercrime Analytics company. Because complex, unique passwords are difficult to remember, users tend to keep similar or easy to remember password that makes hackers to easily takeover.
With everyone relying on digital identities now more than ever, cybercriminals have a lot more opportunity to profit from passwords and identity data exposed in breaches. The key is to act quickly after an exposure so you shut down their ability to profit from that stolen data.
If you are using the same or identical password for both your personal and corporate accounts, this article is specifically for you!
Before you read this blog, do a quick check. Find out if your frequently used password is pawned. Visit the website, have I been pwned?. Click here.
If you see that your password is appeared in one or more data breach lists, it’s time to change it.
Now, let’s delve into the topic!
According to a survey, 80% of respondents maintain identical passwords for various websites such as email, bank accounts, systems, and applications. This practice poses a significant risk especially if one account is compromised, hackers can potentially access all other linked accounts and applications.
Consider the impact of a compromised enterprise-wide application, such as SAP. Should you not strengthen your application? Would you say that setting a strong password is solely the user’s responsibility? Absolutely not!
Administrators must establish a robust system and implement appropriate measures. Here are some of the essential tasks that administrators should carry out in SAP systems:
Eliminating Common Passwords
The primary defense against unauthorized access is to ensure that users avoid using commonly used passwords. Cyber attackers frequently exploit this vulnerability to gain unauthorized entry into systems. Thankfully, SAP offers an effective solution to tackle this problem by updating the USR40 table with a list of impermissible passwords.
This list can be updated in the USR40 table using the standard process or quickly writing an ABAP program to upload in mass using an Excel template. Once updated, these widely used passwords will no longer be accepted for user accounts.
It is also essential to encourage users to create strong passwords. You may ask your users to utilize websites such as security.org to check the strength of passwords before setting up.
Implementing Password Complexity Rules
Administrators can also setup strong and complex password rules using the following password parameters. These can be tailored to meet your organization’s security requirements. These parameters include:
- login/min_password_digits: Specifies the minimum number of digits required in a password.
- login/min_password_letters: Sets the minimum number of letters (alphabets) required in a password.
- login/min_password_lowercase: Determines the minimum count of lowercase letters necessary in a password.
- login/min_password_uppercase: Specifies the minimum number of uppercase letters required in a password.
- login/min_password_specials: Sets the minimum count of special characters needed in a password.
NOTE: There are other parameters such as password length, history etc., The above ones are utilized to define the complexity. For a list of parameters, refer to the SAP Help link.
By configuring these parameters appropriately, administrators can enforce password complexity rules that ensure users create strong passwords that are difficult to crack.
Disallowing Old Hashes and Cleaning Up Legacy Data
Older password hashing methods become more susceptible to attacks. To ensure the highest level of security, it is crucial to disallow the use of old password hashes. SAP offers the login/password_compliance_to_current_policy parameter, which can be set to 1 to forbid the use of old password hashes in the system.
However, before applying this change to a productive system, it is essential to clean up old password hashes. Use the ABAP program CLEANUP_PASSWORD_HASH_VALUES (refer to SAP note 2845609 for more details), you can remove the legacy hash values and enhance the security of your SAP system.
Implement PWDSALTEDHASH for Strongest Password Hashing
To further enhance security, it is crucial to adopt the newest and most robust password hash strength. SAP recommends the use of PWDSALTEDHASH as the default password hashing algorithm using the parameter login/password_hash_algorithm. This algorithm provides an added layer of security by employing salted hashes, making it more difficult for attackers to crack passwords.
Implement Custom policies for Background and Power Users
Certain users, such as background users and power users (basis and user administrators), require additional layers of security due to their elevated access privileges. To address this, organizations can set up specific security policies using transaction code SECPOL that enforce extra strong password requirements for these user types. Create additional security policies and assign them under SU01 transaction code. By implementing this approach, you can ensure that critical accounts are well-protected against potential breaches.
For detailed steps, refer to SAP Help portal
I also suggest checking out Frank Buchholz’s another blog that offers a tailored program to view all the current Security policies in the SAP system.
Implement 2FA/MFA for critical IDs
Implementing Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for critical IDs in SAP is a crucial security measure that significantly enhances the protection of sensitive data and critical functionalities within the SAP system. This additional layer of verification adds a robust barrier against potential cyber threats, ensuring that only authorized personnel can access and carry out critical operations, bolstering overall security and mitigating potential risks of data breaches or unauthorized system modifications.
Understanding your darknet exposure, and then taking the necessary steps to protect yourself and your enterprise, are the first steps to securing yourself from cyberattacks. Read the 2022 Annual data breach report to know the various compromises.
In conclusion, implementing a robust password policy is essential to safeguarding your SAP environment against security threats. By eliminating common passwords, enforcing password complexity rules, disallowing old hashes, and implementing the strongest password hashing methods, organizations can significantly reduce their vulnerability to unauthorized access and potential data breaches.
Securing your SAP system should be an ongoing priority, and by following the best practices outlined in this blog, you can take significant strides towards ensuring the safety of your critical data and maintaining the trust of your users.