Security Measures Related to Password Rules 

In addition to the standard rules available in SAP Systems:

·        You can change the default minimum length for passwords using the profile parameter login/min_password_lng.

·        You can force users to have to change their passwords after a set period of time. Set this value using the profile parameter login/password_expiration_time.

Assign the appropriate user type for users whose passwords should not expire, for example, system or communication users that are used for background processing or for communicating between systems. See User Types.

·        You can prohibit certain character combinations by entering prohibited passwords in the table USR40 (Use transaction SM30).

You can use either a question mark (?) or asterisk (*) as wildcard characters. The question mark stands for a single character and the asterisk stands for any combination of characters of any length.

Examples:

·         The entry 123* in table USR40 prohibits any password that begins with the sequence "123".

·         The entry *123* prohibits any password that contains the sequence "123".

·         The entry AB? prohibits all passwords that begin with "AB" and have one additional character, for example, "ABA", "ABB", or "ABC".

Additional Recommendations

·        Users should avoid using names, dates, or words that can be found in a standard dictionary for passwords. There are many programs available that can automatically determine passwords that fit in these categories.

·        You can make a password relatively safe by including a mixture of alphabetic and numeric characters with at least one special character in the middle of the password.

·        We especially advise the system administrator to use a complex password with the maximum length (8 characters) that contains at least one digit and special character.

See also:

Profile Parameters for Logon and Password (Login Parameters)