User Pools should enforce passwords of at least 10 characters

Why is this important?

By default, Cognito User Pools enforce passwords of at least 8 characters. This is a weak password policy and should be changed to at least 10 characters. Passwords of 8 characters are quite easy to guess and brute force.

How to fix

To comply, set the MinimumPasswordLength property of your userPools to 10 or higher. For example, in the console, you can change this in the sign-up experience section of the user pool.

AWS CDK example

new UserPool(this, 'myuserpool', {
  // ...
  passwordPolicy: {
    minLength: 10,
  },
});

AWS CloudFormation example

Resources:
  MyUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # ...
      Policies:
        PasswordPolicy:
          MinimumLength: 10

Terraform example

resource "aws_cognito_user_pool" "myuserpool" {
  # ...
  password_policy {
    minimum_length = 10
  }
}

User Pools should enforce passwords of at least 10 characters

Why is this important?​

How to fix​

AWS CDK example​

AWS CloudFormation example​

Terraform example​

Why is this important?

How to fix

AWS CDK example

AWS CloudFormation example

Terraform example