Change content

To enhance account security and help you meet enterprise security and compliance requirements, Alibaba Cloud RAM (Resource Access Management) will gradually roll out a weak password detection feature starting March 10, 2026. This feature automatically identifies high-risk weak passwords and provides warnings or enforcement actions in key password-related scenarios.

Applicable Scenarios：

RAM User Logon

If the system detects that the currently used password is classified as weak, after successful login, the RAM user will be redirected to the password reset page with a recommendation to update to a stronger password. This step can be skipped—it does not affect the current login session.

When Setting or Changing Passwords in the RAM Console

including the following cases

• User logs in for the first time or is prompted to reset due to password expiration, based on account security settings.
• User manually changes their login password on the "User Security Information" page.
• Administrator creates a new RAM user and sets a login password n the RAM console.
• Administrator resets a login password for another user in the RAM console.

In these cases, if the entered password is identified as weak, the system will block the operation. A new, secure password must be set before the action can be completed.

When Setting Passwords via OpenAPI (e.g., calling CreateLoginProfile, UpdateLoginProfile, or ChangePassword APIs)

Whether weak password interception is enabled depends on the "Intercept Risk Password On API" setting under Password Policy in RAM:

• Default: No (interception disabled)
• When set to Yes: If the password is detected as weak, the API call will fail. You must use a stronger password and retry.

Additional Information

• Security Assurance

Weak password detection is based on an authoritative, continuously updated weak password database, using encrypted comparison technology. Your password is encrypted on the server side—Alibaba Cloud does not collect, transmit, or store any plaintext passwords, ensuring data confidentiality and security.

• Coexistence with Existing Password Policies

The weak password detection feature works in parallel with the existing RAM password strength policies. Even if a password meets the administrator-defined complexity rules, it will still be blocked if it matches a known weak password.

• Rollout Method

This update will be deployed gradually through a phased (gray) release.

Impact of change

We recommend reviewing and strengthening passwords for critical accounts in advance to ensure uninterrupted operations, especially avoiding commonly used weak passwords as default initial passwords for newly created users.

For questions or assistance, please submit a support ticket or contact our service hotline. Thank you for your understanding and trust.