Additional Blogs by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password Policy for SAP Support Portal and SAP ONE Support Launchpad About to Change

peterkappelmann
Advisor
Advisor
‎10-12-2017 7:57 AM

Diesen Beitrag gibt es auch auf Deutsch.


Since the SAP Support Portal and the SAP ONE Support Launchpad became your primary access points to SAP support services, numerous applications have been migrated from the old service.sap.com infrastructure to modern systems. Only a few "niche" tools are still hosted on the legacy platform, retaining the requirement to choose a password with exactly 8 characters for them. This requirement no longer exists for the migrated applications.

Starting November 4th, 2017, you may choose a more complex, safer password. It must be at least 8 characters long – maximum length is 255 – and include three of the following: Uppercase letters, lowercase letters, numbers, symbols. The "exactly-8-characters" oddity will be a thing of the past.

Well, almost. If you happen to be one of the customers who still have to access one of the legacy tools, you must use a password that complies with the old rules, but only for these old applications.

Not for the SAP ONE Support Launchpad.
Not for the SAP Support Portal.

So why, when, and how would you come into contact with the old platform?


There are potentially two touchpoints with the service.sap.com legacy infrastructure:

First, you might enter it through your web browser (1). A few legacy applications are still referenced from the launchpad.

  • Legacy incidents, access to tickets from 2014 or before;

  • Legacy Service Messages, communication about a service that was delivered prior to mid-2017;

  • Maintain Own Clusters or Mass Updates of Authorizations, special features to maintain your colleagues’ authorization profiles.


Second, you might connect to the legacy support platform through a support tool. The URL of the system you are connecting to and the logon credentials are not necessarily exposed, so this may even happen unwittingly:

  • SAP Download Manager;

  • Line Opener Program;

  • RFC from an SAP Solution Manager 7.1 or older (2).


Regardless of how you access the legacy support platform, these are your options:

  1. You don’t do anything and continue to use your current 8-character password for the old and the new platforms. Nothing will change for you.

  2. You prefer to choose a new, safer password for launchpad and portal. In this case, you will end up having two separate ones: One for the new world, one (with 8 characters) for the old support platform.


SAP Support will do their best to mitigate any negative impact: In the SAP ONE Support Launchpad, whenever a link to a legacy tool is offered, a popup window will make you aware of the fact that you are about to enter the old world:



You won’t be caught on the wrong foot when you are asked to enter your password for the legacy platform, and you can reset or change it from there.

It goes without saying that SAP is committed to finalizing the migration of remaining legacy applications to the SAP ONE Support Launchpad.



(1) If you have a single sign-on certificate installed in your browser, you don’t have to enter any ID or password.
(2) Users for Support Hub Communication in SAP Solution Manager 7.2 are not affected by the new password policy, see KBA 2174416.
22 Comments
joerg-edinger
Explorer
‎10-16-2017 6:57 AM
0 Kudos
Hi Peter,

thank you for the nice and helpful article. Nice that the limitation of 8 digits ends with the 4th of November.

2 Questions:

  • is there a limitation of digits for the new passwords? if so, how much digits are possible?

  • Is there a time horizon for the complete migration of the legacy applications?


Thank you!

Kind regards,

Joerg
Steffi_Warnecke
Active Contributor
‎10-16-2017 4:59 PM
0 Kudos
 

Hello Peter,

is this just going to change for the support portal and launchpad or sap.com (with the Community) itself, too?

 

Regards,

Steffi.
Jelena
Active Contributor
‎10-16-2017 6:49 PM
0 Kudos
IMHO forcing the users to include symbols only leads to the password "P@ssword1" instead of "Password1". I think this comics sums it up very well.
peterkappelmann
Advisor
Advisor
‎10-16-2017 11:03 PM
0 Kudos
Hello Jörg,

The maximum password length will be 255 characters. I have added this detail to the blog.

Regarding a time-line for the completion of the migration of legacy applications to the SAP ONE Support Launchpad: Our goal has always been to redesign tools wherever possible, not just “copy them over” to the new platform. Some of them (cluster maintenance) are complex, and replacing them by smarter alternatives is challenging. That’s why it takes a bit longer. Still, we expect to have this completed around mid-2018.

Best regards,
Peter
peterkappelmann
Advisor
Advisor
‎10-16-2017 11:06 PM
0 Kudos
Hello Steffi,

This change only affects the SAP Support Portal and SAP ONE Support Launchpad. SAP.com and SAP Community already have a more modern password policy in place.

Please note that once you are signed in to one of the above mentioned websites, you are also logged on to the others thanks to single sign-on. This won't change of course.

Best regards,
Peter
peterkappelmann
Advisor
Advisor
‎10-16-2017 11:19 PM
0 Kudos
 

Hi Jelena,

I like the comic.

Yes, it may be mathematically proven that correcthorsebatterystaple is a safer password than Tr0ubAdor&3 and easier to remember. But the fact that it is safer, that's mainly because it is longer. I am sure that if someone can remember correcthorsebatterystaple, they can also memorise correct.horse.battery.staple, thus increase the time it takes to guess this password by another significant factor. Today, with the exactly-8-character restriction, such a password cannot be chosen. Users are indeed forced to substitute "readable characters" by special symbols.

After November 4th it will be possible to choose a longer password. Which allows visitors to use special characters in addition to normal ones, not as substitution.

Best regards,
Peter
Steffi_Warnecke
Active Contributor
‎10-17-2017 10:05 AM
0 Kudos
"SAP.com and SAP Community already have a more modern password policy in place."

They do? I changed my password just yesterday and it was the same as ever, including "exactly 8 characters". Or is this because I have an s-user?
Former Member
‎10-17-2017 10:14 AM
I think so, Steffi, yes. If you try and change a password for a P-user you get this:



 
Steffi_Warnecke
Active Contributor
‎10-17-2017 10:40 AM
 

Well, at least I can change my email address, right? ^^
Former Member
‎10-17-2017 11:16 AM
Of course. For a p-user you'd absolutely need to. Oh, wait...
david_eivgi
Explorer
‎10-24-2017 6:41 PM
0 Kudos
 

Hi Peter,

Is there other rules for the site: apps.support.sap.com ( Maintenance Plan ). Because , I have password length That include one Upper letter, lowercase letters, one symbol amd one number, And i can't logon to this site when i can logon to other sites: SAP Support Portal and the SAP ONE Support Launchpad.

Thank you!

Kind regards,

David.
Alterman
Participant
‎10-26-2017 4:35 PM
0 Kudos


Why so easy?


Why not make password rules with 29348701387428374 minimum characters?


Why not lock user passwords randomly and hide rules when/how passwords get locked and unlocked?  Better yet:  





Why not lock out users from support altogether like when SAP locked out all Business Objects customers when it took over?

 

 
roland_k
Explorer
‎10-27-2017 11:23 AM
0 Kudos
Hello Peter,

you mentioned that for accessing legacy support platform an option to have two separate passwords: one for the new world, one (with 8 characters) for the old support platform.
Did I get it right that there will be two separate passwords for the same S-User? Will this also work when using certificates? I hardly can't believe.

Regards
Roland Köthnig

 
Former Member
‎11-03-2017 9:31 AM
0 Kudos
Hi,

Is we need to change our current S-user ID password  as mandatory now.

Or it's OK to continue with our old once for a while.
Former Member
‎11-09-2017 2:40 PM
0 Kudos
It's true that people can easily remember correct.horse.battery.staple

However that's rather irrelevant since it's not a valid password.  So now they have to remember whether it's c0rrect.horse.battery.staple, corr3ct.horse.battery.staple, c0rr3ct.horse.battery.staple ...

You haven't solved the problem, you've just moved it.  And by placing restrictions you *are* reducing the number of options that a brute force attacker would need to try.

Will this break SSO with an S-user?
former_member348706
Explorer
‎11-17-2017 2:25 PM
0 Kudos
I just want to say I'm an enormous fan of this change, and I'm glad a lengthy character limit like 255 was chosen instead of a "slightly better" limit like 16. Bravo.
peterkappelmann
Advisor
Advisor
‎11-21-2017 1:54 AM
0 Kudos
 

Hello Roland,

The "old world", service.sap.com, still only accepts passwords with 8 characters. So if you choose a new state-of-the-art password with more than 8 characters for the launchpad, you will indeed end up having 2 different passwords. Luckily, there aren't many reasons to visit service.sap.com anymore.

If you don't change the launchpad password, you can continue to use the same 8-character password for service.sap.com and the launchpad.

If browser certificates are used, you don't have to enter the password. So a new one can be chosen for the launchpad, you can continue to use the old-fashioned one for service.sap.com, but you wouldn't know as no password prompt will be shown.

Best regards,
Peter
peterkappelmann
Advisor
Advisor
‎11-21-2017 1:56 AM
0 Kudos
Hello Manoj,

You can change your password for the launchpad and choose a safer one. While this is what we recommend to do -- even though you will then have two different passwords --, you do not have to. Changing the launchpad password is not mandatory.

Best regards,
Peter
peterkappelmann
Advisor
Advisor
‎11-21-2017 2:02 AM
0 Kudos
 

Hi Neil,One rule in the password policy has been lifted: You don't have to choose a password with exactly 8 characters. So while the problem of choosing safe passwords that can easily be remembered hasn't been solved, it certainly was mitigated.

For instance, Correct.Horse.Battery.Staple is a password that visitors can easily remember and that meets the new password policy.

SSO with an S-user has not been affected. You can still log on to the legacy platform as well as to the launchpad if you have got a browser certificate installed. Regardless which password you'd otherwise have to use to enter these sites, an old one with 8 characters or a new, safer one.

Best regards,
Peter
JaySchwendemann
Active Contributor
‎02-12-2020 1:53 PM
0 Kudos
Is there a password validity period, say I have to change my password once every 180 days?
peterkappelmann
Advisor
Advisor
‎02-12-2020 10:38 PM
Hello Jens,

The SAP ONE Support Launchpad does not require you to change your password on a regular basis, nor does the SAP Support Portal.

However, as far as I know, some SAP websites do. As you are using the same S-user ID/ password combination for different SAP websites, it could be that you are asked to change your password, for instance when you enter the SAP Community. (I think the SAP Community password policy requires a new password every six months. But take this with a grain of salt: I am not an SAP Community expert.)

Best regards,
Peter
JaySchwendemann
Active Contributor
‎02-13-2020 8:55 AM
0 Kudos
Thanks, that's in line with the mixed answers I got when asking some colleagues. I was pretty sure I had to change S-User password every six months, however another team member stating he'd never had to change password (and he's no community member).

So thanks again
Popular Blog Posts
Top kudoed authors
View all