USR40: How to restrict illegal SAP passwords?

In recent years, There have been a lot of cyber attacks on SAP systems. Such attacks tend to disrupt the production activities of your customers totally. Hackers try to exploit the SAP systems using some commonly known and used passwords. For eg. Suppose any of the users set their passwords as “123456” or “PASS123”, then it’s going to be very easy for the hackers to predict such weak passwords. This is a huge security risk. So in order to restrict users from setting such weak passwords, SAP provides us with table USR40.

What is table USR40 used for?

USR40 is an SAP standard transparent table. It is used for storing all the possible combinations of easy/weak passwords. This way the users won’t be able to set passwords containing these combinations and the system will throw an error “Password is in exception table”.

USR40: Table for illegal passwords

How to maintain the USR40 table?

Execute transaction SM30 and enter the table name as USR40. Then click on “Maintain”.

Maintain USR40 table using SM30

To add an entry, click on “New Entries” and maintain the password pattern which you want to restrict. Keep the column “Case-Sens?” untick. SAP uses this indicator to determine whether passwords are to be case-sensitive.

USR40: Maintain new entries

Keep in mind that the USR40 table is cross-client. So if you make any changes in any one client, then it will become active for other clients as well. Also, if the client is not open to make the changes, then change the settings using the SCC4 transaction.

Now there are 2 ways, you can maintain the entries in the USR40 table:

1. Make use of ? to represent a single wildcard character.

For eg. If you maintain an entry as PASS00? then the SAP will restrict all the password combinations like PASS001, PASS002, PASS003, and so on.

2. Use * as a wildcard character

For eg. If you maintain an entry as *ABC*, then the SAP will restrict all the passwords having *ABC*.

You may also check the below video tutorial for more information:


What does a password in the exception table (USR40) mean?

It means that the users cannot use any of the password patterns in their passwords.

Which table controls the list of impermissible passwords?

USR40 controls the list of impermissible passwords.

Password is in exception table

If any user provides a password containing the pattern maintained in the table USR40, they will get the above-mentioned error message. To resolve this, please ask the user to make the password unique.

Password is in exception table

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top