This topic describes how different roles, such as a RAM administrator or the RAM user, can change a RAM user's login password in the console or by calling an API. This procedure is useful for periodically rotating passwords to meet security requirements, or for resetting a password that is forgotten, expired, or has locked the user's account.
Impacts
Changing a RAM user's login password has the following impacts. Perform this operation during off-peak hours.
Forced console sign-out: All active console sessions for the RAM user are immediately terminated. The user must sign in again with the new password.
Associated session termination: Any active sessions for RAM roles that the user has assumed are also terminated.
AccessKeys unaffected: The user's AccessKeys are not affected.
Weak password detection and blocking
When you create or change the login password of a RAM user, Resource Access Management (RAM) checks it against a continuously updated library of weak passwords. This check uses an encrypted comparison to identify and block high-risk weak passwords. Alibaba Cloud does not access, transmit, or store plaintext passwords. RAM may still block a password if it is identified as weak, even if it meets the strength requirements. To learn how to configure a password policy, see Set the password policy for RAM users.
Console
Detection timing: The check is triggered when you select Custom Password and submit the change. Auto-generated passwords are not checked for weakness. This applies to the following scenarios:
An administrator creates a new user and sets a login password.
An administrator resets a user's login password.
A user is required to reset their password at first sign-in or after it expires.
A user voluntarily changes their own login password.
Blocking behavior: If a password is identified as weak, the system blocks it and prompts you for a different one. You must enter a new password that meets the password strength policy and is not considered weak.
API
Prerequisite: You must enable Block risk passwords when setting passwords through API in the password policy. This option is disabled by default. For more information, see Set the password policy for RAM users.
Affected API operations: CreateLoginProfile, UpdateLoginProfile, and ChangePassword. If this feature is enabled, the API call fails when a weak password is provided for the
PasswordorNewPasswordparameter.Error response: The API returns the error code
InvalidParameter.RiskPassword.Weak, which indicates that the password is weak.{ "RequestId": "7348E639-3A47-593D-9914-D7A9729D****", "HostId": "ims.aliyuncs.com", "Code": "InvalidParameter.RiskPassword.Weak", "Message": "The specified password was detected as a weak password, please set a stronger password.", "Recommend": "https://api.aliyun.com/troubleshoot?q=InvalidParameter.RiskPassword.Weak&product=Ims&requestId=7348E639-3A47-593D-9914-D7A9729D****" }
Change password as a RAM administrator
As an Alibaba Cloud account or a RAM user with RAM administrator permissions (AliyunRAMFullAccess), you can set an initial password for a RAM user or reset a forgotten password.
Console
Log on to the RAM console.
In the left-side navigation pane, choose .
On the Users page, click the name of the target RAM user.
On the Authentication tab, you can manage the user's login credentials. For security, RAM does not allow you to view an existing password; you can only reset it. The button displayed depends on the user's status:
If console logon has not been configured for the user, as described in Manage console logon settings for a RAM user, click Enable Console Logon to set an initial login password.
If console logon is already enabled for the user, click Modify Logon Settings to change the RAM user's password.
In the Modify Logon Settings panel that appears, configure a new password in the Set Logon Password section.
Select Keep Current Password Unchanged to make no changes to the password.
Select Automatically Regenerate Default Password for the system to create a new password. Record the new password and store it securely.
ImportantThe auto-generated password is displayed only once. It cannot be retrieved after you close the panel. Copy it immediately and deliver it securely to the user.
Select Reset Custom Password and enter a new password. The new password must comply with the current password strength policy. The default password policy of Alibaba Cloud requires a password to be 8 to 32 characters in length. To view or modify the password policy, see Set the password policy for RAM users.
NoteCustom passwords are checked for weakness. If a weak password is detected, the console blocks the change. For more information, see Weak password detection and blocking.
(Optional) In the Password Reset section, select Required at Next Logon. This is useful when securely delivering an initial password to a user.
Click OK.
API
Call the GetPasswordPolicy operation or sign in to the console to check the password strength policy for RAM users in your account. For more information, see Set the password policy for RAM users.
Depending on the user's status:
If the user has not been configured for console logon, as described in Manage console logon settings for a RAM user, call the CreateLoginProfile operation to set an initial login password.
If the user already has console logon enabled, call the UpdateLoginProfile operation and provide the new password in the
Passwordparameter.
When you call the CreateLoginProfile or UpdateLoginProfile operation, if the Block risk passwords when setting passwords through API option is enabled for your account, the API call fails if a weak password is provided in the Password parameter. For more information, see Weak password detection and blocking.
Change your own password
If your RAM administrator allows RAM users to manage their own passwords and you remember your current login password, you can sign in to the console to change your password.
Prerequisites
Your RAM administrator must have the Allow user to change password setting enabled. This option is enabled by default. If it is disabled, you cannot change your own password. You must contact an Alibaba Cloud account or a RAM administrator with AliyunRAMFullAccess permissions to enable this setting. The administrator can follow the steps in the sections below to enable it. For more information, see Manage security settings for RAM users.
Console
Log on to the RAM console.
In the left-side navigation pane, choose Settings. In the Global Security section, click Modify to configure the Allow user to change password setting.
API
Call the SetSecurityPreference operation and set the AllowUserToChangePassword parameter to true.
Change your password
Console
As a RAM user, go to the RAM User Logon page and sign in.
Hover over your profile picture in the upper-right corner and click Security Settings.
In the Logon Information section, click Password Management and then click Change Password.
Enter your old password and new password, and then click OK.
NoteThe new password is checked for weakness. If a weak password is detected, the console blocks the change. For more information about the rules and behavior, see Weak password detection and blocking.
API
Call the ChangePassword operation.
When you call the ChangePassword operation, if the Block risk passwords when setting passwords through API option is enabled for your account, the API call fails if a weak password is provided in the NewPassword parameter. For more information, see Weak password detection and blocking.