New security guidelines in the organisation require to change our password policy from 8 characters to 12 (and require uppercase, lowercase and special characters).
Our users are currently managed in a user pool on AWS Cognito. The policy change on first look seems straightforward, since you can do it in the UI. But what does this mean for existing users ?
FORCE_CHANGE_PASSWORD
?Or will they just be denied access next time they try to login? Or is the policy gonna be applied only for new users ?
If that is not the case, I suppose this has to be handled by the developer, and change the status of ALL users to FORCE_CHANGE_PASSWORD
via script. Since passwords are hashed, there's no way to tell which current users already have passwords which comply even to the new policy.
If you change the policy, it won't have any impact on existing users, their state will remain the same and they will be able to continue logging in with their existing password, even if it doesn't meet the new policy.
The reason for this, as you mentioned, is that the passwords are stored in a hashed way, making it impossible to know which particular criteria it met. Storing any additional metadata about the password (length, cases, number and symbol usage) would strongly defy the security of it.
New users will be impacted by it when signing up, they need to meet the new policy.
As for existing users, if you want to make sure the passwords match the new policy, you'll need to do it by calling the AdminResetUserPassword action to invalidate the existing password (or AdminSetUserPassword with a non-permanent new password, if you want to set one) and require a password reset at next login.