System profile parameter login/password_downwards_compatibility governs the compatibility of newer security features in the password one-way hashing mechanisms. For new systems which can be expected to be communicated with from other ABAP systems which are still in mainstream support, the older hashing mechanisms should not be required. As a workaround, the password rules can still be set such that a CAPS-ON 8 character password is not rejected, if required. It would be nice if the default value were 0, and the system therefore only generated the new PASSCODE and not the BCODE as well. Customers who wish to enable downward compatibility including the hashes can still change the static profile if they wish but it needs an active decision to do so. This is easier than retro-fitting the new password rules for all others and changing dynamic parameters until it finally (and hopefully) works when switching to 0 only.
Update: Please see the comments by Wolfgang Janzen. Related notes will be added when available.
3 Comments
Wolfgang Janzen
Unfortenately the "legacy" password hashs are still required if the system is serving as Central User Administration server (because it needs to provide that information to older systems).
But it's true: in more and more cases it will no longer be required to calculate (and store) the legacy password hash values, as well.
So, the default value of that profile parameter might be changed to 0. But that might be considered as incompatible change - so it might not comply with the Enhancement Package philosophy.
Former Member
I guess SAP can measure how many customers have lower release systems managed by higher release CUA's. By now most should have a 7.00 central system already distributing the hashes, so new installs of 7.02 with downward compatibility should be few and know about it by now. I think that is reasonable.
The parameter is already dynamic (also for 0 now) and with a policy which can be assigned to the user
one could minimize the risk further, possibly?
The IdM does not seem to care already about this as it does not pass the hash, so there is only a little disruption risk... and in my opinion if someone makes the effort to crack password hashes then they never made a call to the help desk before or did a code scan..
My 2 cents,
Julius
Wolfgang Janzen
The decision was made to set the value of that profile parameter to 0 during installation of a new system.
A newly installed system cannot be part of any system landscape, yet. So it is safe to disable the "legacy mode".
Upgraded systems will not be impacted by that decision.