6\VWHP $GPLQLVWUDWLRQ 0DGH (DV\

Chapter 11: Security AdministrationOperational SecurityThere are security parameters for the user’s password (for example, the minimum passwordlength, the time interval that the user must change their password, etc.).The following is a list of the most important password parameters: Minimum password length: login/min_password_lngA longer password is more difficult to break or guess, so the standard is usually five (5)characters. Password expiration time: login/password_expiration_timeThis time period is the limit before users must change their password. Auditors usually recommend 30 days. A practical number that customers use is 90 days. Password lockout: login/fails_to_user_lockThis parameter locks out users who, after a specified number of times, try to logon withan incorrect password. Users are usually locked out after three failed attempts.Properly assigned parameters will make it more difficult to break into the system.Your external auditors may check to see if you have set the security parameters.To set up password parameters, maintain system profiles with transaction RZ10 (for moreinformation on this transaction, see chapter 20).There are certain passwords (for example, 123, QWERTY, abc, sex, sap, )that are well known or easy to guess. You can prevent these passwords from being used byloading them into a table (USR40) that the system checks when the user attempts to save anew password.Table USR40 is only a basic level of password security and is maintained manually.There are third-party password security programs that can be integrated into R/3.System Administration Made Easy11–29