One of the easiest and most common ways to hack SAP system is to try to connect using default passwords. Some of them are well-known and some are not (for example TMSADM). All users having default passwords are very powerful.
So if you think that you are great GRC Expert and seeking to secure your SAP environment trying to solve 5-dimensional cross-system SOD conflicts, there are some things you must do right now - CHANGE THESE PASSWORDS!
SAP*:06071992 or PASS clients: 000 001 066 and custom
DDIC:19920706 clients: 000 001 066 and custom
SAPCPIC:ADMIN clients: 000 001 and custom
EARLYWATCH:support clients: 066
TMSADM:password clients: 000 001
P.S. If you think that this is a well-known problem and everybody has already changed it, you are mistaken. During ALL security assessments each time I see at least one system with those passwords.