SAP Library - Find your answers

A user account must have a password in order to be able to connect to the SAP system. When a user is created in SAP, an initial password is assigned to the user account. The initial password can be explicitly specified or system generated. The user is prompted to change the password on first logon attempt.

It is important to ensure that both the initial and new passwords must not be trivial.

A number of parameters can be used to manage password in SAP.

These include:
Login/password_expiration_time: This parameter defines the number of days after which a password must be changed.

Login/min_password_lng: This parameter defines the minimum password length.

Login/min_password digit: This parameter defines the minimum number of digits (0-9) in a password.

Login/min_password_letters: This parameter defines the minimum number of letters or alphabets (A-Z) in a password.

Login/min_password_special: This parameter defines the number of special characters in a password. These special characters include (), !, \, $ , %,:,’, “, ;, =, &, #, },],{,[, >, <.

Login/min_password_diff: This parameter defines the number of differing characters from previous password.

In order to enforce password complexity and ensure that passwords that can be easily guessed are not specified in the system, SAP provides table USR40, which is used to define prohibited passwords.
This table houses words that cannot be used as password in the SAP system.

? and * are two wild characters that can be used in conjunction with words defined in the USR40 table. While ? addresses single character, * addresses sequence of any combination of characters of any length.

For example, 123* forbids password that begins with 123; *123* forbids any password that contains the sequence 123 and XY? Forbid password that begin with XY and have additional characters such as XYX, XYY and XYZ.
Source Kehinde Eseyin