Help Center/ Situation Awareness/ Best Practices/ Enable SA to Get Improved Login Password Security
Updated on 2022-06-28 GMT+08:00

Enable SA to Get Improved Login Password Security

A weak password is short, common, or something that could be rapidly guessed by brute force attacks. Once a weak password is obtained by an attacker, the attacker can directly log in to the system and read or even modify website code. A weak password will put your system and services at serious risk. It is recommended that complex passwords be used and changed periodically to improve password security.

This topic walks you through how to improve password security and introduces some common methods to change weak passwords.

Prerequisites

  • Causes for weak passwords:
    • A password is automatically generated by a simple password generation rule and matches those in the weak password library.
    • A password used by multiple member accounts will be regarded as a weak password.
  • Weak passwords may cause the following threats:
    • If an individual user uses a weak password, personal privacy information may be disclosed, and even property loss may occur once the password is guessed or cracked.
    • If a system administrator uses a weak password, the entire system may be attacked, database information may be stolen, and the service system may break down, which will then cause customer data breaches, huge economic losses, and even large-scale cybersecurity events.

Weak Password Detection

Detecting weak passwords in a timely manner can effectively prevent the system from being attacked and data from leakage, improving system security.

Huawei Cloud Situation Awareness (SA) is a good choice for you to check whether there are high-risk weak passwords in your IAM accounts and server accounts. For details, see Baseline Inspection. If a high-risk weak password is detected, change the weak password in a timely manner. For details, see Changing the Weak Password of an IAM Account, Changing a Weak Password, Improving Password Security of IAM Accounts, and Improving Password Security of Server Accounts

Improving Password Security of IAM Accounts

You can use the following methods to improve password security of your IAM accounts:
  • Increase password complexity.
    A password must meet the following requirements:
    • A password must contain at least eight characters.
    • A password must contain at least three of the following combinations:
      • Uppercase letters (A-Z)
      • Lowercase letters (a-z)
      • Digital (0-9)
      • Special characters
    • The number of consecutive identical characters allowed is set to 1.
    • Do not reuse the latest five passwords you use.
  • Do not use common weak passwords that are easy to crack, including:
    • Birthday, name, ID card, mobile number, email address, user ID, time, or date
    • Consecutive digits and letters, adjacent keyboard characters, or passwords in rainbow tables
    • Phrases
    • Common words, such as company names, username admin, and username root
  • Change passwords periodically.

    You are advised to change the password every 90 days.

Improving Password Security of Server Accounts

You can use the following methods to improve password security of your server accounts:
  • Use a password with high complexity.

    The password must meet the following requirements:

    1. Contains at least eight characters.
    2. Contain at least three types of the following characters:
      1. Uppercase letters (A-Z)
      2. Lowercase letters (a-z)
      3. Digital (0-9)
      4. Special characters
    3. The password cannot be the username or the username in reverse order.
  • Do not use common weak passwords that are easy to crack, including:
    • Birthday, name, ID card, mobile number, email address, user ID, time, or date
    • Consecutive digits and letters, adjacent keyboard characters, or passwords in rainbow tables
    • Phrases
    • Common words, such as company names, admin, and root
  • Do not use empty or default passwords.
  • Do not reuse the latest five passwords you used.
  • Use different passwords for different websites and accounts.
  • Do not use the same pair of username and password for multiple systems.
  • Change your password at least once every 90 days.
  • If an account has an initial password, force the user to change the password upon first login or within a limited period of time.
  • You are advised to set a locking policy for all accounts. If the consecutive login failures of an account exceed five times, the account will be locked, and will be automatically unlocked in 30 minutes.
  • You are advised to set a logout policy. Accounts that have been inactive for more than 10 minutes will be automatically logged out or locked.
  • You are advised to force users to change the initial passwords of their accounts upon their first login.
  • You are advised to retain account login logs for at least 180 days. The logs cannot contain user passwords.

Changing the Weak Password of an IAM Account

  1. Log in to Huawei Cloud management console as an administrator.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
    Figure 1 Identity and Access Management
  3. In the navigation pane on the left, choose Security Settings.
  4. On the Security Settings page, click the Password Policy tab. Then, modify the password composition and reuse policy, password expiration policy, and minimum password age policy.
  5. On the Security Settings page, then click the Basic Information tab and check whether the password of the IAM account is strong, which is the highest level.

    If the password is not strong, repeat 4 and modify password policies again.

Changing a Weak Password

System

Procedure

Remarks

Windows OS

To change the password in the Windows 10, perform the following steps:

  1. Log in to the Windows OS.
  2. Click in the lower left corner and click .
  3. In the Windows Settings window, click Accounts.
  4. Choose Sign-in options from the navigation tree.
  5. On the Sign-in options tab, click Change under Password.

None

Linux OS

Log in to the Linux server and run the following command:

passswd [<user>]

If you do not specify any username, you are changing the password of the current user.

After the command is executed, enter the new password as prompted.

NOTE:

Replace <user> with the username.

MySQL database

  1. Log in to the MySQL database.
  2. Run the following command to check the database user password:

    SELECT user, host, authentication_string From user;

    This command is probably invalid in certain MySQL versions.

    In this case, run the following command:

    SELECT user, host password From user;

  3. Run the following command to change the password:

    SET PASSWORD FOR'Username'@'Host'=PASSWORD('New_password');

  4. Run the following command to refresh password settings:

    flush privileges;

None

Redis database

  1. Open the Redis database configuration file redis.conf.
  2. Run the following command to change the password:

    requirepass <password>;

  • If there is already a password, the command will change it to the new password.
  • If there has been no password set, the command will set the password.
NOTE:

Replace <password> with the new password.

Tomcat

  1. Open the conf/tomcat-user.xml configuration file in the Tomcat root directory.
  2. Change the value of password under the user node to a strong password.

None