Help Center> Host Security Service (New)> FAQs> Weak Passwords and Unsafe Accounts> How Do I Handle a Weak Password Alarm?
Updated on 2023-01-20 GMT+08:00
View PDF

How Do I Handle a Weak Password Alarm?

Servers using weak passwords are exposed to intrusions. If a weak password alarm is reported, you are advised to change the alarmed password immediately.

Causes

  • If simple passwords are used and match those in the weak password library, a weak password alarm will be generated.
  • A password used by multiple member accounts will be regarded as a weak password and trigger an alarm.

Checking and Changing Weak Passwords

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.

    Figure 1 Accessing HSS

  3. In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.

    • Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
    • On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.

  4. Choose Prediction > Baseline Checks and click the Common Weak Password Detection tab.

    Figure 2 Common weak passwords

  5. Check the server, account name, account type, and usage duration of the weak password. Log in to the server and change the password.

Changing a Weak Password

System

Procedure

Remarks

Windows OS

To change the password in the Windows 10, perform the following steps:

  1. Log in to the Windows OS.
  2. Click in the lower left corner and click .
  3. In the Windows Settings window, click Accounts.
  4. Choose Sign-in options from the navigation tree.
  5. On the Sign-in options tab, click Change under Password.

None

Linux OS

Log in to the Linux server and run the following command:

passswd [<user>]

If you do not specify any username, you are changing the password of the current user.

After the command is executed, enter the new password as prompted.

NOTE:

Replace <user> with the username.

MySQL database
  1. Log in to the MySQL database.
  2. Run the following command to check the database user password:

    SELECT user, host, authentication_string From user;

    This command is probably invalid in certain MySQL versions.

    In this case, run the following command:

    SELECT user, host password From user;

  3. Run the following command to change the password:

    SET PASSWORD FOR'Username'@'Host'=PASSWORD('New_password');

  4. Run the following command to refresh password settings:

    flush privileges;

None

Redis database
  1. Open the Redis database configuration file redis.conf.
  2. Run the following command to change the password:

    requirepass <password>;
  • If there is already a password, the command will change it to the new password.
  • If there has been no password set, the command will set the password.
NOTE:

Replace <password> with the new password.

Tomcat
  1. Open the conf/tomcat-user.xml configuration file in the Tomcat root directory.
  2. Change the value of password under the user node to a strong password.

None

Weak Passwords and Unsafe Accounts FAQs

more