A) login/min_password_lng
B) login/min_password_specials
C) login/password_charset
D) login/min_password_uppercase
2. Which parameter defines how many days a productive password can remain unused before it becomes invalid?
A) login/password_expiration_time
B) login/password_max_idle_productive
C) login/password_max_reset_valid
D) login/password_change_waittime
3. What is the purpose of the parameter login/password_compliance_to_current_policy?
A) It forces users to change their passwords at every
logon.
B) It checks whether a password complies with current
password rules and may force a change.
C) It locks the user if a password is incorrect.
D) It sets the maximum length of a password.
4. What does the parameter login/password_history_size control?
A) Number of incorrect logon attempts before lock
B) Number of days before a password must be changed
C) Number of previous passwords that cannot be reused
D) Number of logins allowed per user
5. Which parameter allows you to disable password-based
logon entirely in favor of Single Sign-On methods?
A) login/accept_sso2_ticket
B) login/password_charset
C) login/disable_password_logon
D) login/password_downwards_compatibility
Correct Answers with Detailed Explanations
1. Enforcing Special Characters in SAP Passwords
Correct Answer: B) login/min_password_specialsExplanation:
The login/min_password_specials parameter is crucial
for enforcing password complexity in SAP systems. It specifies the minimum
number of special characters that must be included in a user's password.
These special characters include symbols such as:
"@ $%&/()=?’*+~#-_.,;:{[]}\\<>| and space
Implementing this parameter helps protect against simple and predictable passwords. Here's how the incorrect options differ:
- A) login/min_password_lng: Sets the minimum password length, not complexity.
- C) login/password_charset: Specifies allowed character sets, not the required quantity.
- D) login/min_password_uppercase: Ensures a minimum number of uppercase letters, not special characters.
2. Password Idle Timeout for Productive Users
Correct Answer: B) login/password_max_idle_productiveExplanation:
login/password_max_idle_productive determines how many
days a user's productive password can remain unused before it is considered
invalid. This feature encourages regular system access and helps detect
dormant accounts that could become security threats.
Comparison with other options:
- A) login/password_expiration_time: Defines the overall validity period of a password, regardless of usage.
- C) login/password_max_reset_valid: Deals with how long a reset password is valid before being used.
- D) login/password_change_waittime: Controls the minimum number of days before the user can change the password again.
3. Enforcing Compliance with Updated Password Policies
Correct Answer: B) It checks whether a password complies with current password rules and may force a change.Explanation:
When set to 1, login/password_compliance_to_current_policy
forces the system to check if a user's current password adheres to updated
password policies. If it doesn't, the user is prompted to change it at
the next logon.
This is vital in organizations where password policies are updated for compliance or to meet newer security standards.
- A) Incorrect—there’s no forced password change at every logon.
- C) Incorrect—does not handle password failure or lockout.
- D) Incorrect—does not define password length.
4. Preventing Password Reuse
Correct Answer: C) Number of previous passwords that cannot be reusedExplanation:
The login/password_history_size parameter stores a list
of previously used passwords. When users try to change their password,
the system checks this list to prevent reuse. This helps strengthen password
practices and reduces vulnerability to brute-force or recycled password
attacks.
- A) Incorrect—concerns logon failure limits.
- B) Incorrect—this would involve expiration policies, not reuse.
- D) Incorrect—logins per user are managed elsewhere, not via this parameter.
5. Enabling SSO by Disabling Password-Based Logon
Correct Answer: C) login/disable_password_logonExplanation:
In systems where Single Sign-On (SSO) is preferred for
authentication, setting login/disable_password_logon disables traditional
password entry. This enhances security by eliminating password exposure.
Use this parameter in high-security environments where:
- Certificates
- SSO Tickets
- External authentication methods are used exclusively
- A) login/accept_sso2_ticket: Enables SSO, but doesn't disable passwords.
- B) login/password_charset: Handles character input, not login methods.
- D) login/password_downwards_compatibility: Pertains to backward compatibility for older systems.
