Safety first – recommendations for secure password assignment and control options in SAP®

Be honest: How operational would your company still be in the event of a complete system failure after a successful cyberattack? The majority of respondents to a Forsa survey indicated that their companies would not actually be operational at all. All the while, though, the number of attacks has been increasing drastically for years. As an SAP system house and operator of numerous SAP® instances, we would like to introduce you to the BSI secure password recommendations and let you know about further support options. [1]

6 criteria for a secure password

Attacks against IT infrastructures and SAP® systems are not only increasing in frequency, but are also becoming increasingly complex, which makes it even more difficult to defend against them. As a result, the risk of system failure, misuse or loss of data, and identity theft is constantly growing. These are important reasons for strengthening your own IT security. We would thus like to draw your attention to the BSI (German Federal Office for Information Security) recommendations on the use of secure passwords. When assigning a secure password, your SAP® users should observe the following criteria:

  1. Password length: The longer the password, the better! The minimum length should be 8–10 characters.
  2. Diversity: The password should consist of as many different character types as possible, e.g. upper and lower case letters, numbers and special characters.
  3. Neutrality: The password should not have a personal association with the user, e.g. names of family members, dates of birth, nicknames.
  4. No dictionary entries: If possible, the complete password should not appear in dictionaries.
  5. Patternless: The password should not consist of common repetition patterns or adjacent keys of the keyboard such as “12345”, “qwertz” or “onetwothree”.
  6. Complexity: You should not just add a number or one of the usual special characters at the end or beginning of an otherwise simple password. The BSI now also assumes that a more complex password ensures significantly higher security than changing your password every six weeks. Experience has shown that regular changes reduce the complexity of passwords and lead to insecure storage of passwords by the end user (e.g. Post-it note with password under the keyboard)

Support options provided by PROMOS

In order to minimise the gateways for external attacks as much as possible, it is important to regularly communicate the aforementioned aspects of secure password assignment to your users. Furthermore, some of these criteria can be systemically enforced when setting a password. For example, your systems can be set to require that a password has a minimum length and must contain special characters or upper and lower case letters. The number of permitted failed attempts to enter the password before it is blocked can also be set individually. We will be delighted to advise you individually and support you with the respective systemic settings.

Please wait