Select language:

Background documentationPassword Rules

 

The following table describes the specifications that you need to follow for passwords. It also shows whether these guidelines are predefined in the system or whether you can change them using profile parameters.

Rule

Comment

The password must be at least 3 characters long

Can be changed with profile parameter login/min_password_lng.

The password cannot be more than 40 characters long Until SAP NetWeaver 6.40 (inclusive), passwords could not be more than 8 characters long.

Predefined in SAP System

Until SAP NetWeaver 6.40 (inclusive), all characters of the syntactic character set can be used, that is, all letters and digits, and some special characters. The system does not differentiate between upper- and lower-case.

After SAP NetWeaver 6.40, any Unicode characters can be used, and the system does differentiate between upper- and lower-case.

As of SAP Web AS 6.10, the administrator can define how many digits, letters, and special characters must be contained in new passwords (see profile parameter).

Can be changed with profile parameters login/min_password_letters, login/min_password_digits, and login/min_password_specials.

More information:login/password_charset.

The first character may not be an exclamation point (!) or a question mark (?).

Predefined in SAP System

The first three characters may not appear in the same order in the user ID

This rule applies only in systems up to SAP R/3 4.6D.

Predefined in SAP System

The first three characters cannot all be the same.

Predefined in SAP System

None of the first three characters can be a space

This rule applies only in systems up to SAP R/3 4.6D.

Predefined in SAP System

The password may not be in a list of impermissible passwords (table USR40) The list contains character combinations or terms, where the asterisk (*) and question mark (?) can be used as placeholders. Asterisk (*) stands for a character sequence, and the question mark (?) for a single character.

The administrator receives only a warning, if he or she breaks this password rule when assigning passwords in user maintenance.

Can be changed. The default value is that all passwords, except PASS and SAP* are allowed.

The password may not be PASS or SAP*

Predefined in SAP System

If the user changes the password, this cannot be the same as the last x passwords of the user.

Until SAP NetWeaver 6.40 (inclusive), the password history was fixed to the value 5.

After SAP NetWeaver 6.40, the administrator can set the size of the password history (up to 100 passwords selected by the user).

The administrator can reset a user’s password to any initial password, therefore also to one of the last x passwords for this user. This is necessary, as the administrator should not know the passwords of the users. At the first interactive logon, the system prompts the user to change the initial password.

Can be changed with profile parameter login/password_history_size.

The user can only change the password after he or she has entered the correct old password.

Up to SAP Web AS 6.10, the user can only change the password during the logon procedure. As of SAP Web AS 6.20, the user can also change the password by choosing   System  User Profile   Own Data   (transaction SU3)

Predefined in SAP System

Users can only change their passwords again after a wait period.

Until SAP NetWeaver 6.40 (inclusive), the wait period was one day. A password changed by a user could only be changed again by that user on the next day.

The system can now reject all password changes during the wait period (unit: days). If the administrator changes the user’s password, the user must change this initial password the next time he or she logs on, regardless of when he or she last changed his or her password.

System administrators can still change passwords as often as necessary.

Can be changed with profile parameter login/password_change_waittime.

The password must contain at least x lower-case letters.

Until SAP NetWeaver 6.40 (inclusive), the system did not differentiate between upper- and lower-case.

Can be changed with profile parameter login/min_password_lowercase.

The password must contain at least x upper-case letters.

Until SAP NetWeaver 6.40 (inclusive), the system did not differentiate between upper- and lower-case.

Can be changed with profile parameter login/min_password_uppercase.

At least one character in the new password must be different from the old password.

As of SAP Web AS 6.10, the administrator can specify the minimum number of characters that must be different in the old and new passwords in a profile parameter.

Can be changed with profile parameter login/min_password_diff.

The password must obey the current password rules. Otherwise, the user needs to change it.

Until SAP NetWeaver 6.40 (inclusive), changed password rules did not apply to old passwords, and the system only evaluated this when passwords were changed.

Can be activated with profile parameter login/password_compliance_to_current_policy.

An unused productive password (a password set by the user) is valid for a maximum of x days.

Available after SAP NetWeaver 6.40.

Can be changed with profile parameter login/password_max_idle_productive.

An unused initial password (a password set by the administrator) is valid for a maximum of x days. After this period has expired, the user can no longer use the password for authentication. The user administrator can reactivate password-based logon by assigning a new initial password.

Available after SAP NetWeaver 6.40.

Can be changed with profile parameter login/password_max_idle_initial.

Note Note

As of SAP Web AS 6.10, the function module PASSWORD_FORMAL_CHECK can determine whether a string meets the current password rules. It does not evaluate the following rules:

  • Password may not be changed to any of a user’s last five passwords

  • The user can only change the password after correctly entering the old password.

  • A user can change his or her password only once a day.

  • At least x characters in the new password must be different from the old password.

For an exact description of the sequence and the scope of the check, see the documentation for the function module. You can display this documentation with transaction SE37.

End of the note.