Rule

Notes

The password must be at least 3 characters long

You can change this with profile parameter login/min_password_lng.

The password cannot be more than 40 characters long Until SAP NetWeaver 6.40 (inclusive), passwords could not be more than 8 characters long.

Predefined in SAP System

Until SAP NetWeaver 6.40 (inclusive), all characters of the syntactic character set can be used, that is, all letters and digits, and some special characters. The system does not differentiate between upper- and lower-case.

After SAP NetWeaver 6.40, any Unicode characters can be used, and the system does differentiate between upper- and lower-case.

As of SAP Web AS 6.10, the administrator can define how many digits, letters, and special characters must be contained in new passwords (see profile parameter).

You can change this with profile parameters login/min_password_letters, login/min_password_digits, and login/min_password_specials.

See also: login/password_charset.

The first character may not be a quotation or question mark, or a space

Predefined in SAP System

The first three characters may not appear in the same order in the user ID

This rule applies only in systems up to SAP R/3 4.6D.

Predefined in SAP System

The first three characters cannot all be the same.

Predefined in SAP System

None of the first three characters can be a space

This rule applies only in systems up to SAP R/3 4.6D.

Predefined in SAP System

The password may not be in a list of impermissible passwords (table USR40) The list contains character combinations or terms, where the asterisk (*) and question mark (?) can be used as placeholders. Asterisk (*) stands for a character sequence, and the question mark (?) for a single character.

The administrator receives only a warning, if he or she breaks this password rule when assigning passwords in user maintenance.

Can be changed. The default value is that all passwords, except PASS and SAP* are allowed.

The password cannot be PASS or SAP*.

Predefined in SAP System

The password may not be changed to any of a user’s last x passwords, if the user changes the password himself or herself.

Until SAP NetWeaver 6.40 (inclusive), the password history was fixed to the value 5.

After SAP NetWeaver 6.40, the administrator can set the size of the password history (up to 100 passwords selected by the user).

The administrator can reset a user’s password to any initial password, therefore also to one of the last x passwords for this user. This is necessary, as the administrator should not know the passwords of the users. The user is prompted to change the initial password at the first interactive logon.

You can change this with the profile parameter login/password_history_size.

The password can only be changed after the old password has been entered correctly.

Up to SAP Web AS 6.10, the user can only change the password during the logon procedure. As of SAP Web AS 6.20, the user can also change the password by choosing System ® User Profile ® Own Data (transaction SU3)

Predefined in SAP System

Users can only change their passwords again after a wait period.

Until SAP NetWeaver 6.40 (inclusive), the wait period was one day. A password changed by a user could only be changed again by that user on the next day.

The system can now reject all password changes during the wait period (unit: days). If the administrator changes the user’s password, the user must change this initial password the next time he or she logs on, regardless of when he or she last changed his or her password.

System administrators can still change passwords as often as necessary.

You can change this with the profile parameter login/password_change_waittime.

The password must contain at least x lower-case letters.

Until SAP NetWeaver 6.40 (inclusive), the system did not differentiate between upper- and lower-case.

You can change this with profile parameter login/min_password_lowercase.

The password must contain at least x upper-case letters.

Until SAP NetWeaver 6.40 (inclusive), the system did not differentiate between upper- and lower-case.

You can change this with profile parameter login/min_password_uppercase.

At least one character in the new password must be different from the old password.

As of SAP Web AS 6.10, the administrator can specify the minimum number of characters that must be different in the old and new passwords in a profile parameter.

You can change this with profile parameter login/min_password_diff.

The password must comply with the current password rules and must be changed if it does not.

Until SAP NetWeaver 6.40 (inclusive), changed password rules did not apply to old password, but were only evaluated when passwords were changed.

You can activate this with the profile parameter login/password_compliance_to_current_policy.

A productive password (chosen by the user) is valid for a maximum of x days, if it is not used.

Available after SAP NetWeaver 6.40.

You can change this with the profile parameter login/password_max_idle_productive.

An initial password (set by the user administrator) is valid for a maximum of x days, if it is not used. After this period has expired, the password can no longer be used for authentication. The user administrator can reactivate password-based logon by assigning a new initial password.

Available after SAP NetWeaver 6.40.

You can change this with the profile parameter login/password_max_idle_initial.