Adding user pool password requirements - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Adding user pool password requirements

Strong, complex passwords are a security best practice for your user pool. Especially in applications that are open to the internet, weak passwords can expose your users' credentials to systems that guess passwords and try to access your data. The more complex a password is, the more difficult it is to guess. Amazon Cognito has additional tools for security-conscious administrators, like advanced security features and Amazon WAF web ACLs, but your password policy is a central element of the security of your user directory.

Passwords for local users in Amazon Cognito user pools don't automatically expire. As a best practice, log the time, date, and metadata of user password resets in an external system. With an external log of password age, your application or a Lambda trigger can look up a user's password age and require a reset after a given period.

You can configure your user pool to require a minimum password complexity that conforms to your security standards. Complex passwords have a minimum length of at least eight characters. They also include a mix of uppercase, numeric, and special characters.

To set a user pool password policy
  1. Create a user pool and navigate to the Configure security requirements step, or access an existing user pool and navigate to the Sign-in experience tab.

  2. Navigate to Password policy.

  3. Choose a Password policy mode. Cognito defaults configures your user pool with the recommended minimum settings. You can also choose a Custom password policy.

  4. Set a Password minimum length. All users must sign up or be created with a password whose length is greater than or equal to this value. You can set this minimum value as high as 99, but your users can set passwords up to 256 characters long.

  5. Configure password complexity rules under Password requirements. Choose the character types–numbers, special characters, uppercase letters, and lowercase letters–that you want to require at least one of in each user's password.

    You can require at least one of the following characters in passwords. After Amazon Cognito verifies that passwords contain the minimum required characters, your users' passwords can contain additional characters of any type up to the maximum password length.

    • Uppercase and lowercase basic latin letters

    • Numbers

    • The following special characters.

      ^ $ * . [ ] { } ( ) ? " ! @ # % & / \ , > < ' : ; | _ ~ ` = + -
    • Non-leading, non-trailing space characters.

  6. Set a value for Temporary passwords set by administrators expire in. After this period has passed, a new user that you created in the Amazon Cognito console or with AdminCreateUser can't sign in and set a new password. After they sign in with their temporary password, their user accounts never expire. To update the password duration in the Amazon Cognito user pools API, set a value for TemporaryPasswordValidityDays in your CreateUserPool or UpdateUserPool API request.

    1. To reset access for an expired user account, do one of the following.