Logon and Password Security in the SAP System 
Logon and Password Security in the SAP System
This section provides a general overview of logon and password security in the SAP System.
The Initial Password
When you create a user, you are required to enter a password for the user. The password must meet all of the internal requirements set by the SAP System as well as any Customizing changes that you have made. For more information, see
Setting Password Controls.When a new user logs on for the first time, he or she must specify a new password before proceeding.
Password Requirements
The following table shows password requirements and whether they are fixed by the system or whether you can customize them.
Password Requirement |
Type |
Minimum length: 3 characters |
Can be defined by the customer. Minimum length can be increased |
Expiration |
Can be defined by the customer. Number of days after which a password must be changed can be set. Rule: password must not be changed |
Password may not be set to a value |
Can be defined by the customer. Rule: only the passwords PASS and SAP* are excluded from the application. |
First character may not be ! or ? |
Fixed in SAP System |
First three characters may not appear |
Fixed in SAP System |
First three characters may not be identical |
Fixed in SAP System |
Space character not allowed within first |
Fixed in SAP System |
Password may not be PASS or SAP* |
Fixed in SAP System |
Any character which may be typed on the |
Fixed in SAP System |
A user can change his or her password |
Fixed in SAP System |
Password may not be changed to any of a user’s last five passwords |
Fixed in SAP System |
For help in setting the customizable password requirements, see
Define password rules sapurl_link_0003_0002_0004.Logging On
To access the R/3 System and its data, a user must log on to the system. A user must enter both user ID and password; it is not possible to have an empty password.
Before the user is admitted to the system, the system checks whether either of two conditions applies:
If this is the case, the user is not permitted to log on. As user administrator, you can lock a user to prevent logons. You can find further details in
You can specify how long passwords remain valid in the system profile. By default, there is no limit on the validity of passwords.
A user cannot change a password more than once a day. The system requires both the user’s current password and two matching entries of the new password.
If the user ID and password are correct, then the system displays the date and time of the user’s last logon. With the date and time, the user can check that no suspicious logon activity has occurred, such as a logon in the middle of the night. The logon date and time cannot be changed in a standard production R/3 System. The system does not record the logoff date and time.
Logon Errors
If a user has not entered a valid user ID, the system allows the logon attempt to continue until the user enters a valid user ID. User IDs, and passwords as well, are not case-sensitive. A user can enter his or her user ID in lowercase, uppercase, or a combination of both.
If a user enters an incorrect password, then the system allows the user two retries before terminating the logon attempt. Should the user continue to enter an incorrect password in subsequent logon attempts, then the system automatically locks the user against further logon attempts. The default maximum number of consecutive incorrect password entries is set to 12. For more information, see
Setting Password Controls.A user that was locked because of too many incorrect passwords is automatically unlocked at midnight of the day the lock was set. A user administrator can unlock the user at any time.