It has been pointed out to me that there is no account called SAP in Oracle. In older releases the username used is SAPR3 with a password of SAP.

In newer releases of SAP the schema account name is called SAP{schema_name} where schema_name defaults to the SID of database. If you have a SID called DEV then the SAP schema account will be called SAPDEV. This name can be changed later by the administrator after SAP has been installed.

The easiest way to find out the name of the SAP user ID is to use the following SQL:

	SELECT OWNER 
	FROM DBA_TABLES
	WHERE TABLE_NAME='T000';

The entry in the default password list for the user SAP with a password of 06071992 is actually an application level user. SAP systems also come with a default user called SAP* within R/3 (not in Oracle) and another user DDIC with a password of 19920706. Both of these users are harder to check for default passwords (and actually out of scope for this site as we are concentrating on Oracle security here). The hash values need to be collected for these users and they can be compared with the values in the Oracle database table SAPR3.USR02 or they can be tested at the application level.

What has changed in the default password list?

I decided to leave all of these accounts SAP (with passwords of SAPR3 and 06071992) even though they are actually application accounts. I do this because these users and passwords have circulated the Internet for about 3 years with these values as valid Oracle accounts. So to be complete I should leave them here in case anyone has created accounts in the database with the same values. I have also changed the descriptions accordingly in the download files.

Thanks and credit

Thanks to Rich Holland who has pointed out the changes to do with SAP passwords for my Oracle default user list.