SAP’s Hideously Overwrought Password Policy

SAP’s password system is clearly a pile of utter shit.

It’s rant time. If you run a website, portal, SaaS or cloud product (whatever you choose to call it) that has the facility for users to sign-in with a username and password then you should be hashing those passwords. That process is one-way; you can’t get back to the password from the hash itself. The thing you store is a bunch of characters – it isn’t an encryption, as that suggested it can be decrypted; the only way to make use of the big mass of characters is to compare it to other hashes, that’s how you know if a user’s sign-in attempt has succeeded; their password entry attempt hashes to the same one that they stored when they setup the account.

I’m not breaking any new ground by saying this. However it’s amazing that in this day and age we can still discover businesses obviously not following best practice. These best practices have been observed and commented on around the web so many times that they can be, for all intents and purposes, considered to be rules.

My need to write this post was caused by my coming across the Reset Your Password page that you can see accompanying this article. This is from SAP’s website, and we can clearly see that they aren’t following the rules.

SAP's password reset page

To begin; an 8 character limit? If they were hashing the password then the length of password that the user specifies wouldn’t matter. In the database it would be hashed to, say, 32 characters across the board, no matter what the user entered. It doesn’t matter if you make your password just a single “a” or the mighty “supercalifragilisticexpialidocious”; it’ll still end up being hashed to 32 characters. Why should a user have to come up with an exact 8 character password? What this screams is:
“We have a database field storing your passwords that is of type char(8),” and this indicates that they sure as hell aren’t hashing what their users enter.

Why put a block on spaces? Or question and exclamation marks? Or beginning the password with three identical characters? What’s with the ridiculous stipulations; none of these things matter if you’re properly treating what the user has entered.

If SAP – a billion dollar giant – is making these mistakes in clear view of the rest of the planet then what inspiration do the smaller players have to be any different? If someone who knows nothing of password storage and manipulation starts work on a sign-in subsystem and looks to take a benchmark from “one of the industry leaders” what hope does he or she have? This is not only about establishing user security, it’s about setting a good example to those that follow. For shame SAP, for shame.

Back to Top