Thoughts, ideas and solutions from a few EPM consultants.

EPM Security (Passwords)

As consultants we implement and work on a lot of EPM environments. Like most EPM installers we follow some well-known conventions when it comes to database schema names and user accounts. One other thing we, and many others, commonly do is use familiar passwords so that our teams can get in and get their work done. This is not unique to EPM, when setting up a system generally it makes more sense to “Get it up and done” than to worry about things like security after we leave. I think most installers like myself generally let the clients know they should change the admin password but more often than not they seem hesitant to do so for fear of breaking something.

Over time I’ve noticed a common trend, the password that was set by the installers was never changed. There have been several instances when onboarding at a new client that we have been able to “guess” the password. While this may seem like a great feat it’s actually due to use of some very common passwords and many times via the use of some “leetspeak” (http://en.wikipedia.org/wiki/Leet.)

PasscodeCommon Variants
PasswordPassword1Pa55w0rdp@5sw0rd
HyperionHyperon1Hyp3r10nhyp3r!on
EssbaseEssbase1E55ba5ee5sb45e

There are a few problems with these passwords in addition to being very common. First the passwords above are quite short, next they are based off of single words. This makes them highly susceptible to a dictionary attack. Many people assume the use of “leet” characters makes them less vulnerable and while there is a small degree of truth, it’s far from secure. Sure the financial controller that has been with the company 10 years probably wouldn't think to change the letter S to a 5 but there is a pretty good chance the, fresh out of college, newly hired accountant or IT worker might. Also many of the common password breaking tools are well aware of leetspeak (http://optimwise.com/passwords-with-simple-character-substitution-are-weak/.)

So if you have a system that's using one of these or something thats a bit too simple you will probably want to change it. Changing passwords in EPM is pretty simple and well documented. We suggest you use a separate account for services like connecting Planning or FDM to Essbase. This way if the admin password has to be changed later it may not affect these services.

In addition to changing passwords we would suggest the use of stronger passwords, the longer the better. The method that is my personal favorite came in the form of a popular online comic XKCD. Someone even went as far to create a Correct Horse Battery Staple generator if you don't feel like being very creative.