-1

We are currently using a third party software for SSO Login in a hybrid landscape with SAP, ADFS, etc.

The users have to change their password in the client software, which is then sent to a central server in the third party's cloud and used for a system wide synchronized login.

Is this a good idea and really useful? I don't think so, but it is how it is...

But now I wonder, the password policy says that the passwords have to have a minimum of 8 chars/numbers/special chars... so far so good, but the maximum length is also limited to 12.

What does this mean in terms of security, which reasons could this have? Does this mean they don't hash the password and store them in plain text on their servers? There is no two factor authentification setup in any way. I am quite concerned now, could anyone please clarify the situation?

schroeder
  • 125,553
  • 55
  • 289
  • 326
licklake
  • 1,032
  • 1
  • 9
  • 22

1 Answers1

2

About password complexity: According to my experience and security standards such as SANS and OWASP, limiting password length to 12 characters is unusual. These standards say that it is better to support enough length, even allow them to set pass-phrases to make their Accounts more secure.

good lock.