Alibaba Cloud IDaaS (Identity as a Service) allows administrators to centrally manage password-related policies to enhance account security. This document describes the password policy management features in IDaaS, including password complexity, initial passwords, periodic password changes, password history, forgotten passwords, and high-risk password detection policies.
Overview of password policies
IDaaS allows administrators to centrally manage password-related policies, including the following:
Password complexity
Passwords are one of the weakest links in network security. More complex passwords provide higher security.
To facilitate scenario selection, IDaaS provides five preset complexity templates in the Logon menu under the Password Policies tab, as described below:
Complexity template | Template content |
No limit | Minimum 4 characters. |
Low complexity | Minimum 6 characters, must include lowercase letters and numbers. |
Common | Minimum 8 characters, must include uppercase letters, lowercase letters, and numbers. |
Recommended | Minimum 10 characters, must include uppercase letters, lowercase letters, numbers, and special characters. The password cannot contain the account name. |
High complexity | Minimum 16 characters, must include uppercase letters, lowercase letters, numbers, and special characters. The password cannot contain the account name, display name and its pinyin, phone number, or email prefix. |
You can select one of these templates, adjust the configuration based on it, or directly customize the configuration. The changes take effect after you save them.
When complexity requirements are changed, existing passwords are not affected. New passwords must comply with the complexity restrictions.
According to the latest requirements from China Telecom Group, starting May 20, 2025, text messages sent to China Telecom mobile numbers containing the following content will likely be blocked, resulting in failed message delivery:
Text messages containing links or IP addresses.
Text messages containing contact information such as mobile numbers, landline numbers, or other customer service numbers.
Due to this control policy, password fields are prohibited from containing links (including short links, http strings) and contact information to ensure that text messages containing usernames and passwords can be delivered normally.
Initial passwords
When importing accounts from an IdP (Identity Provider), it is usually not possible to obtain the user passwords from the IdP. IDaaS supports password initialization for newly imported accounts and notifies users to complete the new user login process.
Password initialization feature: Disabled by default. Administrators can enable it.
Password generation method: When an account is synchronized from an IdP to IDaaS without a password, you can choose "Generate randomly and notify users." A randomly generated password that meets complexity requirements will be sent to users through the selected text message or email notification channels.
Change password at first login: You can select Change Password At First Login to require users to change their password when they log on with the randomly generated password. Users must change their password before they can access the system, completing the self-service password update.
Periodic password changes
Administrators can set the password expiration period and handling policies.
Expiration reminder
Administrators can enable expiration reminders to prompt users to change their passwords N days before expiration when they log on. Users can either change their password immediately or skip it for that session.
Password expiration effects
IDaaS provides three expiration handling methods: prohibit login, force password change, and remind to change password.
Prohibit login: The strictest handling method. When a password expires, it cannot be used, and the password change process cannot be triggered. Users can only log on through other methods to change their password or go through the password recovery process. Because users may be locked out after expiration, to reduce the workload of IT staff, it is recommended to use this option with expiration reminders or set it to force password changes starting N days before expiration.
Force password change: A moderate handling method. Expired passwords can be used to log on, but users must change their password before they can access the portal or applications.
Remind to change password: The most lenient handling method. Each time an expired password is used to log on, a password change reminder appears, but users can skip it each time.
Password expiration only affects user login and does not affect the status of the account itself.
Password history
IDaaS allows administrators to enable password history checking. When users change their passwords, they are prevented from reusing any of their N most recently used passwords to reduce security risks associated with password reuse.
Forgotten passwords
If users forget their passwords when logging on, they can set new passwords through IDaaS self-service.
Default feature status: Not enabled.
Enabling method: On the administrator side, you can enable the forgotten password feature by selecting the checkbox in tab. After enabling, a Forgot Password option appears at the bottom of the password login page.
Recovery process: Click Forgot Password to authenticate your identity through Text Message, Email Verification, OTP Dynamic Password Verification, or WebAuthn Verification, and then set a new password that complies with the rules.
NoteIf your account does not have a phone number or email address set up, and you have not bound an OTP dynamic password or WebAuthn, you cannot recover your password through self-service. Please contact your administrator to reset your password.
High-risk password detection
IDaaS maintains a database of publicly leaked passwords. When users change their passwords, a security check is triggered for the new password, and a prompt appears on the page. This feature is enabled by default and cannot be disabled, so it is not visible in the management interface. The password detection prompt appears as follows.
If you receive a prompt indicating that your new password has a leak record, it means that the password may be used maliciously for attacks. We strongly recommend that you set a different new password.