Password Rules
The following table describes the specifications that are to be followed for passwords. It also shows whether these guidelines are predefined in the system or whether you can change them using profile parameters.
Rule |
Notes |
The password must be at least 3 characters long |
You can change this with profile parameter login/min_password_lng. |
The password cannot be more than 8 characters long |
Predefined in SAP system |
All characters of the syntactical character set can be used; that is, all letters, digits, and some special characters. It is not case-sensitive. As of SAP Web AS 6.10, the administrator can define how many digits, letters, and special characters must be contained in new passwords (see profile parameter). |
You can change this with profile parameters login/min_password_letters, login/min_password_digits, and login/min_password_specials. |
The first character may not be an exclamation point (!) or a question mark (?). |
Predefined in SAP system |
The first three characters may not appear in the same order in the user ID This rule applies only in systems up to SAP R/3 4.6D. |
Predefined in SAP system |
The first three characters cannot all be the same. |
Predefined in SAP system |
None of the first three characters can be a space This rule applies only in systems up to SAP R/3 4.6D. |
Predefined in SAP system |
The password may not be in a list of impermissible passwords (table USR40) The list contains character combinations or terms, where the asterisk (*) and question mark (?) can be used as placeholders. Asterisk (*) stands for a character sequence, and the question mark (?) for a single character. The administrator receives only a warning, if he or she breaks this password rule when assigning passwords in user maintenance. |
Can be changed. The default value is that all passwords, except PASS and SAP* are allowed. |
The password cannot be PASS or SAP*. |
Predefined in SAP system |
The password may not be changed to any of a user’s last five passwords, if the user changes the password himself or herself. The administrator can reset a user’s password to any password, even to one of the last five passwords of this user. This is necessary, since the administrator should not know the passwords of the users. The user is prompted to change the password at the first interactive logon. |
Predefined in SAP system |
The password can only be changed after the old password has been entered correctly. Up to SAP Web AS 6.10, the user can only change the password during the logon procedure. As of SAP Web AS 6.20, the user can also change the password by choosing System ® User Profile ® Own Data (transaction SU3)
|
Predefined in SAP system |
The user can only change the password a maximum of once a day; the administrator can change the password any number of times |
Predefined in SAP system |
The password is not case-sensitive. |
Predefined in SAP system |
At least one character in the new password must be different from the old password. As of SAP Web AS 6.10, the administrator can specify the minimum number of characters that must be different in the old and new passwords in a profile parameter. |
You can change this with profile parameter login/min_password_diff. |
Changed password rules do not affect old passwords. The password rules are only evaluated when changing the password.
|
|
As of SAP Web AS 6.10, the function module PASSWORD_FORMAL_CHECK can determine whether a string meets the current password rules. The following rules are not evaluated here:
● Password may not be changed to any of a user’s last five passwords
● The password can only be changed after the old password has been entered correctly.
● A user can change his or her password only once a day.
● At least one character in the new password must be different from the old password.
For an exact description of the sequence and the scope of the check, see the documentation for the function module. You can display this documentation with transaction SE37.