SAP Password Policy Best Practices

Why password policy matters in SAP

Password policy is the most externally visible security control in any SAP system. Auditors test password parameters early in every engagement because the test is fast, the test is deterministic, and weak password parameters indicate weakness in the broader security baseline. Customer systems that run with default values typically allow short passwords, infinite reuse, and no lockout. The customer position is to align with the published baseline and track every deviation as an exception with documented rationale. Reference the security audit pillar, the compliance framework pillar, and the security hardening expertise.

The parameter set

Password policy is governed by 12 profile parameters in standard SAP NetWeaver. The most important parameters are login min password lng (minimum length), login password expiration time (change frequency), login fails to user lock (lockout threshold), login password history size (history depth), and login password complexity (character class requirements). Each parameter has a target value. Each parameter is documented in the SAP security baseline and reviewed in every external audit. Reference the security audit pillar, the security baseline analysis, and the user access review analysis.

The recommended values

The recommended values follow the SAP security baseline. Minimum length 12 characters for standard accounts and 16 characters for privileged accounts. Change frequency 90 days for standard accounts and 60 days for privileged accounts. Lockout threshold 5 failed attempts. History depth 12 previous passwords. Complexity requirement of three out of four character classes (upper, lower, digit, special). The recommended values balance security and usability and meet most external auditor expectations. Reference the security baseline analysis, the SSO security analysis, and the two factor authentication analysis.

The rollout sequencing

The rollout sequence applies the recommended values in two phases. Phase one applies length, lockout, history, and complexity changes immediately because they take effect at next password change. Phase two applies change frequency tightening over three months because the change affects every active user at the next change cycle. The phased approach reduces helpdesk volume and reduces the operational disruption that drives policy rollback in immature programs. Reference the security baseline analysis, the user access review analysis, and the security hardening expertise.

Customers that move SAP password policy to baseline values in a two phase rollout typically close password policy findings in the next audit cycle and reduce password related helpdesk volume by 15 to 25 percent within six months.

The audit defensible password posture

The audit defensible password posture has four components. The published policy with reference to the baseline. The parameter configuration in production with documented review. The annual assessment that confirms alignment. The exception log for any deviation with documented rationale and compensating control. The four components together produce the password posture that survives external audit walkthrough. Reference the license audit pillar (cross cluster reference) for the audit response posture that complements password policy. Reference the license audit pillar (cross cluster reference), the audit trail analysis, and the SOX ITGC analysis.

For the broader context, our license audit complete guide (cross cluster reference) and compliance framework pillar document the response posture and the regulatory map that govern SAP risk. The GRC and security expertise page documents the senior advisor methodology, and the security hardening expertise page documents the technical control library. Confidential consultation is available through the contact form.