6\VWHP $GPLQLVWUDWLRQ 0DGH (DV\

Chapter 11: Security AdministrationOperational SecurityA password is the key to enter the system, similar to the key you use to enter your home. Ifusers choose easy-to-guess or well-known passwords, security is compromised and yoursystem is potentially at risk.Your external auditors may check to see if you have a mechanism to secure against userswith “easy-to-guess” passwords.By maintaining the table of prohibited passwords.A table of prohibited passwords is a user-defined list of passwords that are prohibited frombeing used in the R/3 System. This table is not a substitute for good password policies andpractices by the users. Interaction occurs between a system profile parameter and the tableof prohibited passwords.If the minimum password length is set to five characters, there is no reason to prohibitpasswords like “123” or “SAP,” because these passwords would fail the minimum lengthtest. However, if company security policy requires it, you could include all passwords thatare considered “risky” in the table.The following is a list of easily guessed passwords that cannot be put into any table: There are many lists circulating of commonly used user passwords. If one of thesepasswords is used, the chances of an unauthorized person accessing a user’s accountincreases.Changes will be made to table USR40 using transaction SM31, the general table maintenancetransaction. (For more information on this transaction, see chapter 19, Change Management:11–30Release 4.6A/B