SAP Default passwords when used with Oracle notes
Note: This page was created 17 years ago (this note was written during Corona Virus Lockdown at the end of March 2020) and as such is likely out of date but we will keep it here for reference
It has been pointed out to me that there is no account called SAP in Oracle. In older releases the username used is SAPR3 with a password of SAP.
In newer releases of SAP the schema account name is called SAP{schema_name} where schema_name defaults to the SID of database. If you have a SID called DEV then the SAP schema account will be called SAPDEV. This name can be changed later by the administrator after SAP has been installed.
The easiest way to find out the name of the SAP user ID is to use the following SQL:
SELECT OWNER FROM DBA_TABLES WHERE TABLE_NAME='T000';
The entry in the default password list for the user SAP with a password of 06071992 is actually an application level user. SAP systems also come with a default user called SAP* within R/3 (not in Oracle) and another user DDIC with a password of 19920706. Both of these users are harder to check for default passwords (and actually out of scope for this site as we are concentrating on Oracle security here). The hash values need to be collected for these users and they can be compared with the values in the Oracle database table SAPR3.USR02 or they can be tested at the application level.
What has changed in the default password list?
I decided to leave all of these accounts SAP (with passwords of SAPR3 and 06071992) even though they are actually application accounts. I do this because these users and passwords have circulated the Internet for about 3 years with these values as valid Oracle accounts. So to be complete I should leave them here in case anyone has created accounts in the database with the same values. I have also changed the descriptions accordingly in the download files.
Thanks and credit
Thanks to Rich Holland who has pointed out the changes to do with SAP passwords for my Oracle default user list.