Tag Archive | authentication
October 10, 2014  

Windows security vulnerability

Yesterday I was working late, so when I tumbled into my bed I forgot to close my laptop. The next morning I was in a hurry to get out of the door, so I just used the power off button. Surprisingly enough my laptop did not turn off, it went into windows – without any password or other form of authentication!

So off course I checked my settings and the password protected screensaver was on.

Being a security nerd I had to try again later that day… surprise surprise, same result. I can open the laptop without putting in password. After some testing I found the follwoing prerequisites for enablement of the security vulnerability.

Security-Holes-Allow-for-Full-32-bit-and-64-bit-Windows-Vista-Takeover-2

  1. Windows 7 operating system
  2. A number of resource consuming programs needs to be running. I have tested while having Excel, Word, PDF, Power Point, Chrome, Outlook and Windows Explorer running simultaneously
  3. The automatic screen saver must start on its own, as soon as a single key has been clicked the security hole is closed

If all of this is in place you simple do the following to open the laptop without a password.

  1. Make sure only to click the off key – if you click any other key the laptop will be locked
  2. With the screensaver on, hold the power off button to close the laptop
  3. Once the task manager in windows opens, quickly click Cancel in the close program popup box
  4. You are now in windows without password!

To protect yourself against this, make sure to always manually secure your laptop before leaving it unattended.

June 4, 2014  

SAP: Password wizard

Out of the box SAP only accepts password based logon as the mechanism for authentication. But the standard password wizard in SAP gives you a generic password containing about 40 characters – inlc. special characters, capital letters and other complication mechanisms.

So to use the standard password wizard is more or less impossible. Or is it…

Table PRGN_CUST gives you the possibility of customizing the rules for the password wizard. So you can now control the rules for a default generated password. Meaning that it is now usable for the administrators and the end users can understand the password.

Following parameters can be used within table PRGN_CUST:

  • GEN_PSW_MAX_DIGITS
  • GEN_PSW_MAX_LENGTH
  • GEN_PSW_MAX_LETTERS
  • GEN_PSW_MAX_SPECIALS

…. at the same time remember to review the rules for illegal passwords. They are implemented in table USR40  :)