Help Center/ Host Security Service/ Best Practices/ Using HSS to Prevent Weak Passwords
Updated on 2025-07-10 GMT+08:00
View PDF
Share

Using HSS to Prevent Weak Passwords

Scenario

A weak password is short, common, or something that could be rapidly guessed by brute force attacks. Common weak passwords include but are not limited to the following:

  • Common default system passwords, such as admin, root, Tomcat, and manager.
  • Only digits, only letters, or a combination of numbers and letters, for example, admin123, 123456, and abcde.
  • Passwords that have special meanings and can be easily guessed by others, such as the birthday, name, and mobile number.
  • Multiple system accounts use the same password.

Weak passwords in the server system may bring the following risks:

  • Information leakage: Attackers can intrude accounts and obtain users' privacy information and financial data through brute force cracking or password guessing.
  • System damage: Attackers crack weak passwords to intrude the system and maliciously attack the system. For example, attackers can delete important data, implant malware, and maliciously modify programs, causing the system to break down or fail to run.

HSS can detect common weak passwords set in the server system and key software, including weak passwords of MySQL, FTP, Redis, and system accounts in the Linux system and weak passwords of system accounts in the Windows system. You are advised to use HSS to detect weak passwords in the server system, improve password security, and change passwords periodically to avoid security risks.

Prerequisites

The HSS professional, enterprise, premium, WTP, or container edition has been enabled for the server. For details, see HSS Access Overview.

How Do I Avoid Weak Password Risks?

  1. Check whether there are servers with weak passwords.

    After HSS is enabled for a server, HSS automatically checks it for weak passwords at about 04:00 every morning by default. If you change the check time in the default policy or create a custom check policy, HSS will check for weak passwords at the time you set.

    To view weak password check results, perform the following steps:
    1. Log in to the management console.
    2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
    3. In the navigation pane on the left, choose Risk Management > Baseline Checks.

    4. (Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.

    5. In the lower part of the page, click the Common Weak Password Risks tab to view weak passwords on servers.
    To add custom weak passwords, perform the following steps:
    1. In the upper right corner of the common weak password list, click Define Weak Passwords.
    2. Enter weak passwords. Put each weak password on a separate line.
    3. Click OK.

      The custom weak passwords you defined will be used for weak password scans on all servers.

  2. Change weak passwords to enhance password security.

    Check the server name, IP address, account name, account type, and suggestion of the weak password detected in 1. Log in to the server and change its password. For more information, see How Do I Set a Secure Password?

  3. Change the password periodically.

    You are advised to change the password every 90 days.

How Do I Set a Secure Password?

  • Recommended password complexity

    To ensure password security, you are advised to set the password based on the following rules:

    • Consists of 8 to 26 characters.
    • Contains at least three of the following character types:
      • Uppercase letter
      • Lowercase letter
      • Digits
      • Special characters for Windows ECSs: ! @ $ % ^ - _ = + [ { ( ) } ] : , . / ? ~ # *
      • Special characters for Linux ECSs: ! @ $ % ^ - _ = + [ { } ] : , . / ? ~ # *
    • The password cannot contain the username or the username spelled backwards.
    • For Windows servers, the password cannot contain more than two consecutive characters of the username.
  • Common methods for changing system passwords

    System

    Procedure

    Remarks

    Windows OS

    To change the password in the Windows 10, perform the following steps:

    1. Log in to the Windows OS.
    2. Click in the lower left corner and click .
    3. In the Windows Settings window, click Accounts.
    4. Choose Sign-in options from the navigation tree.
    5. On the Sign-in options tab, click Change under Password.

    None

    Linux OS

    Log in to the Linux server and run the following command:

    passwd [<user>]

    Replace <user> with the username. If you do not specify any username, you are changing the password of the current user.

    After the command is executed, enter the new password as prompted.

    MySQL database
    1. Log in to the MySQL database.
    2. Run the following command to check the database user password:

      SELECT user, host, authentication_string From user;

      This command is probably invalid in certain MySQL versions.

      In this case, run the following command:

      SELECT user, host password From user;

    3. Run the following command to change the password:

      SET PASSWORD FOR'Username'@'Host'=PASSWORD('New_password');

    4. Run the following command to refresh password settings:

      flush privileges;

    None

    Redis database
    1. Open the Redis database configuration file redis.conf.
    2. Run the following command to change the password:

      requirepass <password>;

    Replace <password> with the new password.

    • If there is already a password, the command will change it to the new password.
    • If there has been no password set, the command will set the password.

    Tomcat
    1. Open the conf/tomcat-user.xml configuration file in the Tomcat root directory.
    2. Change the value of password under the user node to a strong password.

    None