Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Cognito - Prevent Password Reuse

I am curious if it is possible to prevent a user from re-using their password (or previous n passwords) in AWS Cognito. It seems like this would be a feature, but I don't see it in the documentation (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-policies.html).

It is possible with IAM (https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html).

like image 631
samlauff Avatar asked Apr 05 '18 03:04

samlauff


People also ask

Do Cognito passwords expire?

The default setting is 7 days, measured from the time when an administrator or the user creates the account. The maximum setting is 365 days. After the account expires, the user can't log in to the account until you update the user's profile. To do this, update an attribute or resend the password to the user.

How are passwords stored in Cognito?

Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.

How long do Cognito access tokens last?

By default, the refresh token expires 30 days after your application user signs into your user pool.

How do I resend a temporary password in Cognito?

The temporary password can only be used until the user account expiration limit that you specified when you created the user pool. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter.


1 Answers

First of all AWS Cognito UserPools Password policy and AWS IAM User Password Policy are two things. Although IAM User Password Policy allows configuring password change enforcement, it's not available with AWS Cognito yet.

Currently, you can only configure following attributes for the password.

  • Minimum password length
  • Password require numbers
  • Password require special character
  • Password require uppercase letters
  • Password require lowercase letters

In addition, you can configure MFA.

like image 62
Ashan Avatar answered Sep 25 '22 11:09

Ashan