Reinforce password security - Security Center - Alibaba Cloud Documentation Center

If you log on to your server by using a weak password, attackers may illegally log on to your server and steal data from your server or compromise your server. We recommend that you configure a strong logon password for your server and change the logon password at regular intervals. This topic describes how to reinforce the security of a logon password. This topic also describes how to change logon passwords in common systems.

Background information

If you use a weak password for a server, the following risks may occur:

A weak password that is used for a standard account may be deciphered or cracked by using cracker tools. This causes leaks of personal privacy or even economic loss.
Attackers may exploit weak passwords of administrator accounts to attack and paralyze user systems and steal database information. This results in information leaks, huge economic loss, and even widespread network security issues.

To prevent attacks and information leaks and improve the system security, you must check whether weak passwords are used in your system at the earliest opportunity. You can use the baseline check feature of Security Center to check whether high-risk weak passwords are used on your server. If high-risk weak passwords are detected on your server, we recommend that you change the passwords at the earliest opportunity by using the methods that are provided in Improve password security. For more information about how to change a password, see Change weak passwords in common systems.

Improve password security

You can use the following methods to improve the security of a logon password:

Configure a complex password
A complex password must meet the following requirements:
- The password must be at least eight characters in length.
- The password must contain at least three of the following character types:
  - Uppercase letters
  - Lowercase letters
  - Digits
  - Special characters (~, !, @, $, %, ^, &, *, -, _, =, +, #, /, and ?)
- The password cannot be the username or the username in reverse order.
Do not use common or exposed weak passwords
Do not use the following common or exposed weak passwords:
- Common weak passwords that are exposed. Examples: abcd1234, admin, root, and admin@123.
- Number, letter, and keyboard patterns or sequences. Examples: 123456, abcdef, 123abc, qwerty, and 1qaz2wsx.
- Culture-based passwords. Examples: 5201314 and woaini1314.
- Easy-to-guess passwords, such as company names, birth dates, names, ID card numbers, mobile phone numbers, email addresses, user IDs, time, and years.
Change passwords at regular intervals
We recommend that you change passwords at 90-day intervals.

Change weak passwords in common systems

The following table describes the methods that are used to change weak logon passwords in common systems such as Linux servers, MySQL databases, and Redis databases.

Important The following list describes the common parameters that are mentioned in the table. Replace the parameter values based on your business requirements.

<UserName>: the logon username
<OldPassword>: the current password
<NewPassword>: the new password
<HostName>: the name or IP address of the host


System	Procedure	Description
Linux	Log on to your Linux server and run the passwd <UserName> command to change the logon password.	`<UserName>` specifies the logon username. If you do not enter the logon username, the password of the current user is changed. After you run the command, enter the new password as prompted.
Windows	In this example, the logon password for a server that runs Windows Server 2019 is changed. Log on to your Windows server. In the lower-left corner of the Windows desktop, click the icon. Click the icon. In the Windows Settings window, click Accounts. In the left-side navigation pane, click Sign-in options. Change the logon password of the server as prompted.	None.
MySQL database	Log on to your MySQL database. Run the following command to view the password information about database users: `SELECT user, host, authentication_string FROM user;` Note The command may not be supported by some versions of MySQL databases. If you cannot obtain the password information after you run the command, you can run the following command: `SELECT user, host, password FROM user;` Run the following command to change the password of a specific user based on the query results and the alert information about weak passwords: `SET PASSWORD FOR '<UserName>'@'<HostName>' = PASSWORD('<NewPassword>');` Run the `flush privileges;` command.	None.
Redis database	Log on to your Redis database and open the redis.conf file. Run the following command to change the current password or configure a password: `requirepass <NewPassword>;` Restart the Redis service.	`<NewPassword>` specifies the logon password. If a logon password is configured, change the password to a complex password. If no logon password is configured, configure a password.
SQL Server database	Linux operating system Log on to your SQL Server database and run the following command to change the logon password: `exec sp_password <OldPassWord>,<NewPassword>,<UserName>` Windows operating system Log on to your SQL Server database client, choose Security > Logins, find the required username, and then change the weak password to a complex password.	None.
MongoDB database	Log on to your MongoDB database. Run the `use admin` command to switch to user admin. Run the `use db_name` command to switch to the database for which you want to change the logon password. Run the `db.updateUser(<UserName>,{pwd:<NewPassword}>)` command to change the logon username and password for the database. We recommend that you configure a complex password that is greater than 12 characters in length and contains digits, uppercase letters, lowercase letters, and special characters. Enable the identity authentication feature. Open the mongod.conf file of the MongoDB database, change the value of `auth` to `true`, and then restart the MongoDB service.	`db_name` specifies the name of the database for which you want to change the logon password. After you change the password, wait 5 minutes before you check whether the new password is a weak password.
PostgreSQL database	Log on to your PostgreSQL database. Run the following command to change the weak password: `ALTER USER <UserName> WITH PASSWORD <NewPassword>;`	None.
Tomcat	Go to the root directory of your Tomcat server and open the conf/tomcat-user.xml file. Change the password attribute value of the user node to a complex password.	None.
rsync	Open the rsyncd.conf file of your rsync server. Find the `secrets file` configuration item and obtain the path to the `rsyncd.secret` file in the configuration item. Edit the rsyncd.secret file in the `username:password` format and change the password of a specific user to a complex password. Restart the rsync service.	None.
SVN	Open the directory of the Subversion (SVN) repository. Find `password-db` in the <path>/conf/svnserve.conf file. Obtain the path to the password configuration file based on password-db and change the password in the password configuration file to a specified password. By default, the password configuration file is named passwd. Restart the SVN service.	None.
vsftpd	Local user Open the vsftpd.conf file. Add the `anonymous_enable` configuration item and specify NO for the configuration item. Alternatively, change the value of the configuration item to NO. `The value NO indicates that anonymous logons are not allowed.` Run the `passwd <UserName>` command to change the password of the user who uses the FTP service. Configure a complex password that meets the requirements as prompted. Virtual user Open the /etc/vsftpd/login.txt file. Change the passwords of users and save the new passwords. In the file, line 1 contains the username of user A, line 2 contains the password of user A, line 3 contains the username of user B, line 4 contains the password of user B, and so on. Run the `db_load -T -t hash -f /etc/vsftpd/login.txt /etc/vsftpd/login.db` command. Edit the /etc/pam.d/vsftpd file. Append the `db=/etc/vsftpd/login` parameter to the lines that contain `auth pam_userdb.so` and `account pam_userdb.so`. Then, save the modification. The following figure shows an example. Restart the vsftpd service.	None.
FTP	Log on to your Linux server as the root user. Run the following command: `passwd ftp <UserName>` Enter a new password as prompted. If the all authentication tokens updated successfully message appears, the password is changed.	None.
InfluxDB database	Log on to your InfluxDB database. Run the following command to change the password of the account that is used to log on to the database: `set password for "<UserName>" = "<NewPassword>"`	Replace `NewPassword` with the new password. The new password must be enclosed in single quotation marks (').
JBoss 6 and JBoss 7	JBoss 6 Find the /conf/props/jmx-console-users.properties file and change the password in the file. The new password must be in the `<UserName> =<Password>` format. Restart the JBoss6 service. Run the `ps -ef\|grep jboss` command to view the current process of JBoss6. Run the `kill -9 process ID` command to terminate the process. Run the following command to start the JBoss service: `jboss6_path/bin/run.sh` JBoss 7 Find the /configuration/mgmt-users.properties file and delete the usernames whose passwords are weak. Run the bin/adduser.sh script in the installation directory of JBoss. Then, add new users for which you configure complex passwords as prompted.	Replace `process ID` with the process ID of JBoss 6 and replace `jboss6_path` with the installation directory of JBoss 6.
Jenkins	Log on to the Jenkins console. Click Configure to go to the Configure page. Enter a new password in the Password field.	None.
OpenLDAP	Run the following command to query the value and position of the password of the OpenLDAP administrator: `ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW` Run the following command to generate a password: `slappasswd -s <NewPassword>` After you run the command, the hash value of the new password is returned. Create a file named newpassword.ldif and add the following content to the file: `dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: NewHash` The content of the line that contains dn is the value of dn returned by the command that is run in Step 1, and the value of NewHash is the hash value of the new password. Run the following command to import the created .ldif file: `ldapmodify -H ldapi:// -Y EXTERNAL -f newpasswd.ldif`	None.
Linux OpenVPN	Perform the following steps to edit the pwd-file file and change the password of OpenVPN: Find the pwd-file file. In most cases, the file is saved in the /etc/openvpn directory. Append the following statement to the file to cancel the client certificate authentication: `client-cert-not-required` Append the following statement to the file to enable the user password script: `auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env` Append the following statement to the file to block the alerts that are generated by the system: `script-security system` Edit the /etc/openvpn/psw-file file. Each row represents an account. Separate a username and its password with spaces. Examples: `cat /etc/openvpn/psw-file abcdocker <NewPassWord> abc <NewPassWord> test <NewPassWord>` Run the following command to obtain the checkpsw.sh script: `wget http://openvpn.se/files/other/checkpsw.sh` Note By default, the checkpsw.sh script reads usernames and passwords from the /etc/openvpn/psw-file file.	None.
Oracle database	Log on to your Oracle database. Run the following command to change the password: `alter user <UserName> identified by <NewPassWord>;`	`NewPassword` specifies the new password.
pptpd	Edit the /etc/ppp/chap-secrets file. Specify the username and password in the `<UserName> pptpd <NewPassword>` format. Separate UserName, pptpd, and NewPassword with tabs. Restart the pptpd service.	`NewPassword` specifies the new password.
ProFTPD	Run the following command and enter a new password as prompted: `ftpasswd --passwd --name=<UserName> --change-password --file=File_Path`	`File_Path` specifies the file path of the virtual user that is involved.
RabbitMQ	Run the following command to change the weak password: `rabbitmqctl change_password <UserName> '<NewPassword>'`	`NewPassword` specifies the new password.
VNC Server	Disable VNC Server and go to the installation directory of VNC Server on the server where VNC Server is installed. If the weak password does not belong to the root user, log on or switch to the user to which the weak password belongs after you go to the installation directory. For example, if the user whose password you want to change is aliuser, run the `su - aliuser` command. Delete the passwd file from the installation directory. Example: /home/aliuser/.vnc/passwd. Run the vncpasswd command to reset the password. Important For a VNC Server password, the system checks only the first eight characters of the password. For example, if you set the new password to Aliyunpasswd, only the first eight characters Aliyunpa take effect. If the new password does not meet the complexity requirements, the new password has a high risk of being cracked. Make sure that the new password meets the complexity requirements.	None.
WebLogic 12c	Log on to the WebLogic console. In the left-side navigation pane, choose Security Realms > Realms > Users and Groups > Users. Select the user whose password you want to change. On the Passwords tab, enter and confirm the new password, and click Save. If Activate Changes is displayed in the Change Center section in the upper-left corner of the WebLogic console, click Activate Changes. Log on to your server and change the value of the `password` field for the selected user in the '%DOMAIN_HOME%/servers/AdminServer/security/boot.properties file. The new password must be the same as the password that you enter in the WebLogic console. After you change the password, AES encryption is automatically enabled. Run the `%DOMAIN_HOME%/bin/stopWeblogic.sh` script to securely stop WebLogic. Then, restart WebLogic. Note The new password takes affect only after you restart WebLogic. If you cannot modify the configurations, find the Change Center section in the upper-left corner of the WebLogic console and click Lock & Edit. WebLogic must be securely stopped. Otherwise, WebLogic may fail to start.	None.
ActiveMQ	Go to the activemq_/pathconf/ directory and find the configuration file. Run the `vim jetty-realm.properties` command to edit the file. Add or modify a user. Change the username and password to a value in the `<UserName>: <NewPassword>,RoleName` format. Example: `admin: passwd123! @#, admin`. After the modification is complete, save the modification and exit. Then, restart the ActiveMQ service.	activemq_path specifies the installation path of the application and `RoleName` specifies the role name.
Elasticsearch	Note Install the X-Pack plug-in by using the security policies of Elasticsearch. The X-Pack plug-in is a built in plug-in of Elasticsearch V7.X or later. If you use Elasticsearch of a version that is earlier than V7.X, you must enable the configuration of the X-Pack plug-in. In the elasticsearch.yml file, change the value of `xpack.security.enabled` to true. Run the following command to change the password of a user: `ES_HOME_PATH/bin/elasticsearch-users passwd <UserName>`	`ES_HOME_PATH` specifies the installation path of Elasticsearch and `passwd` specifies the new password.
Samba	Run the `smbpasswd <UserName>` command to change the password of a user. Enter a new password as prompted.	None.
Zabbix	Log on to the Zabbix web interface by using the administrator account. In the top navigation bar, choose Administration > Users to view users. Click the username whose password you want to change and click Change password. Enter a new password and click Update.	None.