DocsICP FilingConsole
官方文档
首页

Reinforce password security

更新时间:
复制 MD 格式
产品详情
我的收藏

Weak passwords expose servers to unauthorized access, data theft, and compromise. Set strong passwords and rotate them regularly. This topic covers password security best practices and password change methods for common systems.

Risks of weak passwords

Weak server passwords introduce these risks:

  • Attackers can crack weak passwords for standard accounts, exposing personal information and causing financial loss.

  • A weak administrator password can lead to full system compromise, database theft, business paralysis, massive data breaches, and large-scale cybersecurity incidents.

Security Center baseline check scans servers for high-risk weak passwords. If a weak password is detected, strengthen it immediately using the Improve password security guidelines and the Methods for changing passwords for common systems procedures.

Improve password security

Follow these best practices:

  • Set a strong password

    A strong password meets all these requirements:

    • The password is at least 8 characters long.

    • The password contains a combination of at least three of the following character types: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (~, !, @, $, %, ^, &, *, -, _, =, +, #, /, ?).

    • The password cannot be the user name or the user name in reverse.

  • Avoid common or publicly known weak passwords

    Examples of common weak passwords:

    • Commonly used weak passwords such as abcd1234, admin, root, or admin@123.

    • Sequential or mixed sequences of numbers and letters, or keyboard patterns, such as 123456, abcdef, 123abc, qwerty, and 1qaz2wsx.

    • Common phrases or numeronyms, such as 5201314 or iloveyou1314.

    • Personal information, such as your company name, birthday, full name, ID number, phone number, email name, user ID, or the current year.

  • Rotate passwords regularly

    Rotate your password every 90 days.

Password change methods for common systems

The following table describes how to change passwords for common systems.

Important

Replace these placeholders with your actual values:

  • <UserName>: The login user name.

  • <OldPassword>: The old password.

  • <NewPassword>: The new password.

  • <HostName>: The hostname or IP address.

System

Procedure

Linux system

Run passwd <UserName> to change the user's password. Enter the new password when prompted.

If you omit <UserName>, the password for the current user is changed.

Windows system

The following steps use Windows Server 2019 as an example.

  1. Log on to the Windows server and click the Start icon icon in the lower-left corner.

  2. Click the Settings icon icon. On the Windows Settings page, click Accounts.

  3. In the left navigation pane, click Sign-in options.

  4. Follow the on-screen instructions to change the server password.

MySQL database

  1. Log on to the MySQL database.

  2. Run the following command to view user password information.

    SELECT user, host, authentication_string FROM user;
    Note

    Some MySQL versions may not support this command. If it does not return password information, run the following command instead.

    SELECT user, host, password FROM user;

  3. Run the following command to change the password for the affected user.

    ALTER USER '<UserName>'@'<HostName>' IDENTIFIED BY '<NewPassword>';

  4. Run the flush privileges; command to apply the changes.

Redis database

  1. Open the Redis configuration file, redis.conf.

  2. Run the following command to set or change the password.

    requirepass <NewPassword>

    This command changes an existing password or sets a new one if none exists.

  3. Restart the Redis service.

SQL Server database

  • Linux system login

    Log on to the SQL Server database and run the following command to change the login password.

    EXEC sp_password @old=N'<OldPassword>', @new=N'<NewPassword>', @loginame=N'<UserName>';

  • Windows authentication

    In the SQL Server database client, navigate to , select the user, and replace the weak password with a strong one.

MongoDB database

  1. Log on to the MongoDB database.

  2. Run the use admin command to switch to the admin database.

  3. Run the db.changeUserPassword("<UserName>", "<NewPassword>") command to change the password for the user.

    Set a strong password longer than 12 characters that includes digits, uppercase letters, lowercase letters, and special characters.

  4. Ensure that authentication is enabled.

    In the MongoDB configuration file mongod.conf, set security.authorization to enabled or set the auth parameter to true.

  5. Run the systemctl restart mongod command to restart the MongoDB service.

PostgreSQL database

  1. Log on to the PostgreSQL database.

  2. Run the following command to change the weak password.

    ALTER USER <UserName> WITH PASSWORD '<NewPassword>';

Tomcat

  1. Open the conf/tomcat-user.xml configuration file in the Tomcat root directory.

  2. For the target user node, change the value of the password attribute to a strong password.

Rsync

  1. Open the Rsync configuration file, rsyncd.conf.

  2. Locate the secrets file parameter to find the path of the rsyncd.secret file.

  3. Edit the rsyncd.secret file. For the target user, set a new strong password using the <UserName>:<NewPassword> format.

  4. Restart the Rsync service.

SVN

  1. Open the repository directory.

  2. In the <path>/conf/svnserve.conf configuration file, locate the password-db parameter.

  3. Use the value of the password-db parameter to find the password configuration file (by default, the passwd file) and change the password in that file.

  4. Restart the SVN service.

vsftpd

  • Local users

    1. Open the vsftpd.conf configuration file.

    2. Add or modify the anonymous_enable parameter and set its value to NO to disable anonymous login.

    3. Run the passwd <UserName> command to change the FTP user's password.

    4. Follow the prompts to set a new strong password.

  • Virtual users

    1. Open the /etc/vsftpd/login.txt file.

    2. Modify the password for the corresponding user name and save the file.

      The file uses alternating lines: username on odd lines, password on even lines.

    3. Run the db_load -T -t hash -f /etc/vsftpd/login.txt /etc/vsftpd/login.db command.

    4. Modify the /etc/pam.d/vsftpd file.

      After the lines that contain auth pam_userdb.so and account pam_userdb.so, add the statement db=/etc/vsftpd/login. See the following figure for the correct placement. Save the file after the modification. vsftpd file modification location

    5. Restart vsftpd.

FTP

  1. Log on to the target Linux server as the root user.

  2. Run the following command.

    passwd <UserName>

  3. Enter the new password as prompted.

    A success message appears: all authentication tokens updated successfully.

InfluxDB database

  1. Log on to the InfluxDB database.

  2. Run the following command to change the database password.

    Replace NewPassword with the new password, enclosed in single quotation marks.

    set password for "<UserName>" = '<NewPassword>'

JBoss 6 and 7

  • JBoss 6:

    1. Edit the /conf/props/jmx-console-users.properties configuration file. Change the weak password by using the <UserName>=<Password> format.

    2. Restart JBoss 6.

      1. Run ps -ef|grep jboss to view the current JBoss 6 process.

      2. Run kill -9 <Process_ID> to stop the process.

        Replace <Process_ID> with the process ID of JBoss 6.

      3. Run the following command to start the JBoss service.

        Replace <jboss6_path> with the installation directory of JBoss 6.

         <jboss6_path>/bin/run.sh

  • JBoss 7:

    1. Edit the /configuration/mgmt-users.properties configuration file and delete the entry for the user with the weak password.

    2. Run bin/adduser.sh in the JBoss installation path and follow the prompts to add a new user with a strong password.

Jenkins

  1. Log on to the Jenkins web console.

  2. Click Configure to open the Configure page.

  3. In the Password field, enter the new password.

OpenLDAP

  1. Run the following command to query the value and location of the OpenLDAP administrator password field.

    ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW

  2. Run the following command to generate a new password.

     slappasswd -s <NewPassword>

    This command returns the hash value of the new password (NewHash).

  3. Create a new file named newpassword.ldif and add the following content to the file.

    dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: NewHash

    The value for the dn line is the dn value returned by the first query command. NewHash is the hash value of the new password.

  4. Run the following command to import the new ldif file.

    ldapmodify -H ldapi:// -Y EXTERNAL -f newpassword.ldif

OpenVPN on Linux

Edit the pwd-file configuration file to change the OpenVPN password:

  1. Locate the pwd-file configuration file. The file is typically located in the /etc/openvpn directory.

  2. Add the following statement to the configuration file to disable client certificate authentication.

    client-cert-not-required

  3. Add the following statement to the configuration file to enable the user password script.

    auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

  4. Add the following statement to the configuration file to suppress system warnings.

    script-security 3

  5. Edit the /etc/openvpn/psw-file file. Each line corresponds to one account, with the user name and password separated by a space. Example:

    cat /etc/openvpn/psw-file 
abcdocker <NewPassWord>
abc <NewPassWord>
test <NewPassWord>

  6. Run the following command to get the checkpsw.sh script.

    wget http://openvpn.se/files/other/checkpsw.sh
    Note

    By default, checkpsw.sh reads user names and passwords from the /etc/openvpn/psw-file file.

Oracle database

  1. Log on to the Oracle database.

  2. Run the following command to change the password.

    alter user <UserName> identified by <NewPassWord>;

pptpd

  1. Edit the /etc/ppp/chap-secrets file.

  2. Configure the user name and password in the format <UserName> pptpd <NewPassword> *.

    The UserName, pptpd, NewPassword, and * fields must be separated by tabs.

  3. Restart the pptp service.

ProFTPD

Run the following command and enter the new password as prompted.

In the command, File_Path refers to the path of the file that stores the virtual user.

ftpasswd --passwd --name=<UserName> --change-password --file=File_Path

RabbitMQ

Run the following command to change the weak password.

rabbitmqctl change_password <UserName> '<NewPassword>'

VncServer

  1. Make sure that VncServer is shut down, and then go to the VncServer installation directory on the server.

    If the weak password does not belong to the root user, log on or switch to the user whose password you need to change. For example, if the user is aliuser, run the su - aliuser command.

  2. Delete the passwd file from the installation directory. For example, delete /home/aliuser/.vnc/passwd.

  3. Run the vncpasswd command to reset the password.

    Important

    VncServer validates only the first 8 characters of a password. For example, if you set the new password to Aliyunpasswd, only the first 8 characters, Aliyunpa, are effective. If the effective password does not meet the complexity requirements, there is a high risk of it being cracked. Ensure that your password meets the complexity requirements.

WebLogic 12c

  1. Log on to the WebLogic Server Administration Console.

  2. In the left navigation pane, choose .

  3. Select the user whose password you want to change.

  4. On the Passwords page, enter and confirm the new password, and then click Save.

  5. If the Change Center in the upper-left corner of the console displays Activate Changes, click Activate Changes.

  6. Log on to the server and modify the password field for the target user in the %DOMAIN_HOME%/servers/AdminServer/security/boot.properties configuration file.

    This password must match the one set in the WebLogic console. After modification, the password is automatically AES-encrypted.

  7. Run the %DOMAIN_HOME%/bin/stopWeblogic.sh command to safely stop WebLogic, and then restart it.

Note

  • You must restart WebLogic for the new password to take effect.

  • If you cannot modify the configuration, go to the Change Center in the upper-left corner of the WebLogic console and click Lock & Edit.

  • You must stop WebLogic safely. Otherwise, WebLogic may fail to start.

ActiveMQ

  1. Go to the configuration file directory activemq_path/conf/.

    Here, activemq_path is the application installation path.

  2. Run the vim jetty-realm.properties command to edit the configuration file.

  3. Add or modify the user.

    The format for modifying the user name and password is <UserName>: <NewPassword>,RoleName, where RoleName is the role. For example: admin: passwd123!@#, admin.

  4. Save the changes, exit, and then restart the service.

Elasticsearch
Note

Elasticsearch security features require the X-Pack plug-in. X-Pack is built into Elasticsearch 7.x and later. For earlier versions, set xpack.security.enabled: true in elasticsearch.yml.

Run the following command to change the user password.

Where ES_HOME_PATH is the installation path of Elasticsearch, and passwd is the new password.

ES_HOME_PATH/bin/elasticsearch-users passwd <UserName>

Samba

  1. Run the smbpasswd <UserName> command to change the user password.

  2. Enter the new password as prompted.

Zabbix

  1. Log on to the Zabbix web console with an administrator account.

  2. In the top menu bar, choose to view the user list.

  3. Click the name of the target user, and then click Change password.

  4. Enter the new password, and then click Update.

Related topics

Use the Security Center Baseline checks feature to detect weak password risks on your servers.

Previous:Comprehensive protection against ransomwareNext:Best practices for custom allowlist rules