All Products
Search

This Product

    Resource Access Management:Configure a password policy for RAM users

    Document Center

    Resource Access Management:Configure a password policy for RAM users

    Last Updated:Jun 20, 2026

    To enhance the sign-in security of all RAM users in your Alibaba Cloud account and meet enterprise security and compliance requirements, you can configure a unified password policy for all RAM users. This policy can include rules for password length, password validity period, and password history checks. This topic shows you how to configure a password policy and provides recommendations.

    Important

    A password policy is an account-level global setting. Once modified, it affects all RAM users in the current Alibaba Cloud account. RAM does not support different password policies for different user groups or individual users.

    Usage notes

    Before you configure a password policy, note the following:

    • Policy scope: The password policy applies only to RAM users who sign in to the console with a username and password. It does not affect programmatic access that uses an AccessKey.

    • When policy changes take effect: After you modify the password policy, for example, by increasing the required password length or setting an expiration period, existing users are not immediately forced to change their passwords. The new policy applies the next time a user changes their password, either when prompted at sign-in or by manually resetting it.

    • Special sign-in scenarios:

      • SSO integration: If your enterprise uses an identity provider (IdP) for SSO integration with Alibaba Cloud, you do not need to set sign-in passwords for RAM users. If you set passwords for these RAM users, the passwords must comply with this policy and can be used for sign-in if SSO is disabled.

    Note

    Alibaba Cloud does not store your passwords in plaintext. Instead, it stores a salted hash value generated through one-way encryption. This value cannot be reversed to reveal the original password, ensuring your passwords remain secure.

    Procedure

    As the root account or a RAM user with RAM administrator permissions (AliyunRAMFullAccess), you can configure or modify a unified password policy for all RAM users.

    Console

    1. Sign in to the RAM console.

    2. On the Settings page, in the Password Policy section, click Modify to configure the password rules.

    3. Click OK.

    API

    1. Call GetPasswordPolicy to view the current password policy.

    2. Call SetPasswordPolicy to modify the password policy.

    Password policy parameters

    Parameter

    Description

    Default

    Recommendation

    Length

    The minimum number of characters in a password. Valid values: 8 to 32.

    8

    Charset

    Specifies the character types that a password must contain. You can require one or more of the following: uppercase letters, lowercase letters, numbers, and special characters.

    Disabled

    We recommend that you select at least three character types.

    Different Characters

    The minimum number of unique characters required in a password. Maximum value: 8. For example, if you set this to 3, a password like aabc is valid, but aabb is not.

    Disabled

    Set this to 4 or higher to prevent weak passwords constructed from repeating characters.

    Do Not Contain Username

    Prohibits a password from containing the username.

    Disabled

    We recommend that you enable this setting.

    Disable Logon after Password Expiration

    Specifies if a user with an expired password can sign in to the console to change it. If enabled, the user is blocked from signing in and must contact an administrator to reset their password.

    Disabled

    Setting a Password Max Age or an Initial Password Max Age might cause some passwords to expire immediately. To avoid sign-in disruptions, we recommend that you do not enable this setting while adjusting these validity periods.

    Password Max Age

    The number of days a password can be used before it expires. The maximum is 1095 days.

    Note

    Resetting a password restarts its validity period.

    Disabled

    We recommend a period of 90 days or less.

    Initial Password Max Age

    The number of days an initial password is valid. If a user does not sign in for the first time within this period, the password expires.

    You can set a period from 0 to 90 days. A value of 0 disables this policy.

    14 days

    We recommend keeping the default of 14 days. The initial password validity period should not exceed the password validity period.

    Do Not Repeat History

    Prohibits a user from reusing the last N passwords. The maximum value of N is 24.

    Disabled

    Max Attempts

    The number of consecutive failed sign-in attempts within one hour that will lock an account for one hour. The maximum is 32.

    Note

    Resetting a password clears the count of failed sign-in attempts.

    Disabled

    We recommend a maximum of 5 attempts.

    Intercept Risk Password From API

    When enabled, the system performs a risk assessment on passwords that are set by using the Password or NewPassword parameter in the CreateLoginProfile, UpdateLoginProfile, or ChangePassword API calls. If a password is identified as a weak password, the API call fails.

    Disabled

    Before enabling this setting, review your existing automation scripts and programs to ensure the passwords they set can pass the risk assessment. After this feature is enabled, API calls that attempt to set a weak password will fail, which may disrupt user creation or password reset workflows.