Change Content

Alibaba Cloud is committed to enhancing cloud service security and strives to help you better protect your account and assets. If a RAM user enabled for console login remains unused for a long period after creation, there is a risk that the initial password could be compromised, potentially threatening the security of all resources under the account, leading to unexpected charges or even malicious ransom attacks. To mitigate such risks, Resource Access Management will launch a feature called "Default validity period for initial login passwords of RAM users."

Starting from January 26, 2026, newly created or re-enabled console login passwords will be marked as an "initial password" under specific conditions, with a default validity period of 14 days. If the user does not complete a successful first login within this period, the password will automatically expire.

• The following scenarios qualify as an "initial password":
  • The first console login password set for a newly created RAM user
  • A password set when re-enabling console login after clearing the login settings
  • A new password set before the previous initial password was successfully used to log in — in this case, it remains an "initial password," and the 14-day validity period restarts

Note: Disabling console login does not pause or extend the validity period of an initial password.

• Rules for initial password expiration:
  • If no successful login occurs within 14 days, the initial password will automatically expire. The user will no longer be able to use it to log in and must have the password reset by an administrator.
  • Once the user successfully logs in using the initial password within the 14-day window, the password is no longer considered "initial." Subsequent expiration behavior follows the account-level password policy (e.g., password max age, whether disable login after password expiration). And any modified password will also not be considered the initial password.
  • Both the password max age and the initial password age apply simultaneously; the shorter duration takes precedence.
• Configurable initial password validity period: To improve management flexibility, a new setting — "Initial Password Age" — will be added under Password Policy Settings, allowing administrators to customize the duration:
  • Adjustable range: 0–90 days
  • Default value: 14 days
  • Setting to 0 days disables the initial password expiration policy

Note: It is recommended not to set the initial password age longer than the password max age to avoid complicating password management.

• User prompts and query methods:
  • When creating or resetting a password, the system will clearly indicate whether it is an initial password.
  • Administrators can check password status and validity through the console or by calling relevant OpenAPIs (e.g., GetLoginProfile).

Impact of the change

The feature will roll out gradually starting January 26, 2026, and complete full release by February 6, 2026.

RAM administrators are advised to pay attention to this change, configure the initial password age appropriately, and notify users of the password expiration policy upon account creation to prevent service disruption due to expired passwords.

If you have any questions or need further assistance, please contact us via ticket or customer service hotline. Thank you for your understanding and trust.