Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
19 May 2023

The Paradox Of Password Rules

Many organisations can expect to see some sort of findings on their audit reports pertaining to their system password rules and settings. Examples of these include the number of lowercase, uppercase, numerical or special characters required in passwords in combination with not being able to reuse passwords which have already been used. It is a widely held belief that the more restrictions and conditions that are placed upon passwords, the more secure your systems is. I believe that this is actually a paradox. In my experience, more complicated password conditions actually lead to a proliferation of simplistic passwords which can be more easily guessed or cracked. This actually reduces the security of your system rather than enhance it. It is also much more likely that users will write down their passwords in an unencrypted document on their PCs or potentially on a notepad or post it note nearby as a way of remembering the complicated passwords.

If you have largely unrestricted password conditions, you open up the possibilities that the passwords can be anything. Although you will always get the common ones such as spouses names, children’s names or swear words, there is also more chance that the password will be something completely random since the user has the freedom to choose anything from the languages available across the globe. For example combining two randomly different words together as a single password would mean that the character length is naturally greater and would take an increasingly greater period of time to crack through brute force. To protect yourself from very common passwords many systems, including SAP, have a prohibited passwords list which can be maintained.

If you start enforcing greater levels of complexity, users naturally have to think harder about the passwords which they choose. Having worked on multiple client sites, I dread the time where the little dialog box is sitting there asking for me to define a new password. Often, I spend more than a few minutes trying to think about what will fit the client password conditions and then what I am likely to remember. Until you meet the criteria specified by the system, you will simply get error messages stating the deficiency in your password strength. Once you have finally met the criteria, you will then understand the minimum standards required by the system and therefore understand the likely structure of a number of users’ passwords within that system. Whilst this might actually appear to make the password itself more complicated, you tend to find that more people follow the same thought process and therefore mean that you can actually guess many more people’s passwords than you would ordinarily have been able to. I have lost count of the amount of times people end up with a swearword with a Capital first letter and an incremental number with a $ sign at the end.

A worked example shows the common thought process for building a compliant password yet not actually making it difficult to work out, starting with my first name:

Condition

Previous Input Password

Updated Password based upon Condition

Length must be 6 characters

simon

simonp

Must have upper case character

simonp

Simonp

Must have a numeric value

Simonp

Simonp1

Must have a Special Character

Simonp1

Simonp1$

Next Password

Simonp1$

Simonp2$

Next Password

Simonp2$

Simonp3$

 

Whilst the password initially appears very secure with a combination of characters which may not easily be guessed, over time, the password settles into a very simple pattern whereby it remains largely static and simply increments the number with each change. 

Therefore, this password has retained its adherence to the complicated convention & standards set by the system yet remains an inherently weak password in general terms. 

In SAP systems, you have the option of configuring an additional parameter, login/min_password_diff, which requires that the password has a minimum number of differences from the previous one. At Turnkey Consulting, we recommend that this is set to “3” as a minimum but even then, users will find a simplistic pattern to meet those standards with as little thinking time as possible.