All Products
Search

This Product

    Elastic Compute Service:Avoid using weak passwords to log on to instances

    Document Center

    Elastic Compute Service:Avoid using weak passwords to log on to instances

    Last Updated:Nov 10, 2025

    Avoid using weak passwords (simple passwords) to log on to Elastic Compute Service (ECS) instances. Use key pair authentication, strong password authentication, or a password-free connection using Workbench. Change your credentials regularly to improve instance access security and eliminate the security risks caused by weak passwords.

    Security risks

    Using a username and password to log on to a server is a convenient but high-risk authentication method. A weak password is one of the most common and easily exploited vulnerabilities. Many users set weak passwords, such as 123456 or admin@123, because they are easy to remember. This practice introduces the following security risks:

    • Brute-force attacks: Attackers use automated tools, such as Hydra and John the Ripper, to quickly try common password combinations. They can crack weak passwords in a short time.

    • Data breach: After cracking a password, an attacker can steal sensitive data, such as personal and financial information, or impersonate the user to commit fraud.

    • Lateral attacks: An attacker uses a weak password to compromise a low-privilege account, such as a regular employee's mailbox. Then, they can move laterally within the internal network to gain administrator permissions or control over key systems.

    • Dictionary attacks: This risk is magnified when users reuse the same weak password across different platforms. If one platform experiences a data breach, an attacker can use the leaked credentials to attempt to access the user's other accounts.

    Best practices

    Linux instances

    Use key pair authentication. It is more secure than password authentication.

    Console

    When you create an instance on the instance buy page, set Logon Credential to Key Pair. Then, select an existing Key Pair.

    If you do not have a key pair, click Create Key Pair and then select it.

    API

    When you create an instance by calling the RunInstances or CreateInstance operation, specify the KeyPairName parameter. The password parameter is then ignored.

    If you do not have a key pair, call the CreateKeyPair operation to create one.

    Windows instances

    Use strong password authentication. Key pair authentication is not supported.

    When you create an instance on the instance buy page, set Logon Credential to Custom Password. Then, follow the prompts to set a complex (strong) Logon Password:

    • A complex password must meet the following requirements:

      • The password must be at least 8 characters long.

      • It must contain at least three of the following character types: uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and special characters (~, !, @, $, %, ^, &, *, -, _, =, +, #, /, ?).

      • The password cannot be the username or the username in reverse.

    • Do not use common or publicly known weak passwords, such as:

      • Publicly known weak passwords, such as abcd1234, admin, root, and admin@123.

      • Consecutive or mixed sequences of numbers and letters, or consecutive keys on the keyboard, such as 123456, abcdef, 123abc, qwerty, and 1qaz2wsx.

      • Phrase-based passwords, such as 5201314 and woaini1314.

      • Company names, birthdays, names, ID numbers, phone numbers, email addresses, user IDs, and years.

    • Change your password regularly.

      We recommend changing your password every 90 days.

    Compliance

    Check: Find Linux instances that do not use key pair authentication

    ECS Insight

    1. Go to ECS Insight.

    2. Select the Security tab. Click the Use of Key Pairs (Linux Only) check item to view the Linux instances that do not use key pair authentication.

    Security Center

    1. Go to the Security Center console.

    2. In the navigation pane on the left, choose Risk Governance > CSPM. Select the Cloud Service Configuration Risk tab. Find the check item named Logons Using SSH Key Pairs and click Scan in the Actions column.

      If the status is Failed, one or more Linux instances that do not use key pair authentication exist. Click Details to view the instances.

    Block: Prohibit password authentication when you create Linux instances or perform other operations

    Use a Resource Access Management (RAM) policy at the organization or account level to block actions that set passwords for Linux instances.

    • For enterprise users:

      1. Log on to the Resource Directory console with your Alibaba Cloud account. In the navigation pane on the left, click Control Policies. Create a custom policy and paste the following JSON content.

        This policy denies the use of password authentication when you create instances, attach system disks, replace system disks, modify instance attributes, or modify passwords.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance",
                "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordCustomized": [
                        "true"
                    ]
                },
                "StringEquals": {
                    "ecs:ImagePlatform": "linux"
                }
            },
            "Effect": "Deny"
        },
        {
            "Action": [
                "ecs:ModifyInstanceAttribute",
                "ecs:InvokeCommand",
                "ecs:AttachDisk"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "ecs:PasswordCustomized": [
                        "true"
                    ]
                }
            },
            "Effect": "Deny"
        }
    ]
}

      2. Attach the policy to the appropriate node in your resource directory. The policy then blocks the specified actions for all accounts under that node.

    • For non-enterprise users:

      1. Log on to the RAM console with your Alibaba Cloud account. In the navigation pane on the left, click Policies. Create a custom policy with the same content as the policy above.

      2. Attach the policy to a RAM user, RAM user group, or RAM role. For more information, see Grant permissions to a RAM user.

    Fix: Switch existing instances to key pair logon

    If a check finds existing Linux instances that use password logon, switch them to key pair authentication.

    1. Attach a key pair: Attach an existing key pair, or create a new key pair and attach it to the instance.

      After you attach the key pair, try to log on to the instance with the new key pair to ensure that you can access the instance.

    2. Disable password logon: Log on to the instance and run the following script to modify the Secure Shell Protocol (SSH) service configuration file.

      #!/bin/bash
# Back up the original configuration file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak_$(date +%F)

# Disable password authentication: Change the PasswordAuthentication parameter to no
sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config

# Restart the SSH service for the configuration to take effect
# The command may be sshd or ssh, depending on the operating system
systemctl restart sshd || service sshd restart

    3. Verify: After the operation is complete, restart the instance. Try to log on to the instance using password authentication. The logon attempt should fail. Then, try to log on using the key pair to confirm that the key pair logon is successful.