Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Prevent Password Reuse

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Oracle Cloud Infrastructure (OCI) IAM password policy prevents password reuse. This establishes a history control, eliminating the risk of recycling old, compromised credentials.

Security

The "Previous passwords remembered" setting in the OCI IAM password policy directly prevents password reuse. It forces users to cycle through unique passwords. Preventing password reuse is crucial because it limits the effectiveness of stolen credentials. If an old password is leaked, an attacker cannot use it again, which mitigates the risk of a breach.

Audit

To determine if your OCI IAM password policy prevents password reuse, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to examine, listed in the Name column.

05 Select the Domain policies tab to list the policies defined for your domain.

06 In the Password policy section, click on the name (link) of the IAM password policy that you want to examine.

07 Choose Actions from the top-right menu, select Edit password rules, choose Custom, and check the configuration value available in the Previous passwords remembered box to determine how many unique, consecutive new passwords an IAM user must create before they are allowed to reuse an old password. If the value in the Previous passwords remembered box is 0 (zero), the password reuse prevention is not enforced, therefore, the IAM user password policy configured for your Oracle Cloud Infrastructure (OCI) domain is not compliant.

08 Repeat steps no. 6 and 7 for each IAM password policy configured for the selected OCI domain.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run iam domain list command (OSX/Linux/UNIX) to list the OCI domains created for your Oracle Cloud Infrastructure (OCI) compartment: 

oci iam domain list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data[].["display-name","url"]'

04 The command output should return the name and the endpoint of each OCI domain available in the selected compartment: 

[
	[
		"Project5",
		"https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com:443"
	],
	[
		"Default",
		"https://idcs-aaaabbbbccccddddabcdabcd1234abcd.identity.oraclecloud.com:443"
	]
]

05 Run identity-domains password-policies list command (OSX/Linux/UNIX) to list the name of each IAM password policy created for the specified OCI domain: 

oci identity-domains password-policies list
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--query 'data."resources"[]."id"'

06 The command output should return the requested IAM password policy name(s): 

[
	"PasswordPolicy"
]

07 Run identity-domains password-policy get command (OSX/Linux/UNIX) with the name of the IAM password policy that you want to examine as the identifier parameter, to describe the num-passwords-in-history parameter value. This will determine how many unique, consecutive new passwords an IAM user must create before they are allowed to reuse an old password: 

oci identity-domains password-policy get
	--password-policy-id 'PasswordPolicy'
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--query 'data.{"num-passwords-in-history":"num-passwords-in-history"}'

08 The command output should return the requested parameter value: 

{
	"num-passwords-in-history": null
}

If the identity-domains password-policy get command output returns 0 (zero) or null for the "num-passwords-in-history" property, as shown in the example above, the password reuse prevention is not enforced. As a result, the IAM user password policy configured for your Oracle Cloud Infrastructure (OCI) domain is not compliant.

Remediation / Resolution

To enforce password reuse prevention for your Oracle Cloud Infrastructure (OCI) IAM user passwords, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Identity console available at https://cloud.oracle.com/identity/.

03 In the left navigation panel, choose Domains, and select an OCI compartment from the Compartment dropdown menu next to Applied filters, to list all the domains created for that compartment.

04 Click on the name (link) of the domain that you want to access, listed in the Name column.

05 Select the Domain policies tab to list the policies defined for your domain.

06 In the Password policy section, click on the name (link) of the IAM password policy that you want to configure.

07 Choose Actions from the top-right menu and select Edit password rules.

08 On the Edit password rules configuration panel, choose Custom, and ensure that the value inside the Previous passwords remembered is 1 or higher (e.g., 12 or 24 is recommended). This will enable password reuse prevention. Choose Save changes to apply the configuration changes.

09 (Optional) To force all IAM users to set a new password at the next sign in, select the Force all users to set a new password at next sign in checkbox, and choose Save changes.

10 Repeat steps no. 6 - 9 for each IAM password policy configured for the selected OCI domain.

Using OCI CLI

01 Run identity-domains password-policy put command (OSX/Linux/UNIX) to enforce password reuse prevention for your OCI IAM user passwords by setting the --num-passwords-in-history parameter to a positive value (e.g., 12 or 24 is recommended): 

oci identity-domains password-policy put
	--name 'project5-domain-password-policy'
	--password-policy-id 'PasswordPolicy'
	--endpoint 'https://idcs-aaaabbbbccccddddabcd1234abcd1234.identity.oraclecloud.com'
	--schemas '["urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"]'
	--priority 3
	--min-length 6
	--max-length 12
	--password-expires-after 365
	--num-passwords-in-history 12

02 Type Y and press Enter for confirmation: 

WARNING: Updates to schemas and meta and idcs-created-by and idcs-last-modified-by and idcs-prevented-operations and tags and disallowed-user-attribute-values and disallowed-substrings and groups and configured-password-policy-rules will replace any existing values. Are you sure you want to continue? [y/N]: Y

03 The command output should return the configuration information available for the modified IAM user password policy: 

{
	"data": {
		"allowed-chars": null,
		"compartment-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"configured-password-policy-rules": null,
		"delete-in-progress": null,
		"description": null,
		"dictionary-delimiter": null,
		"dictionary-location": null,
		"dictionary-word-disallowed": null,
		"disallowed-chars": null,
		"disallowed-substrings": null,
		"disallowed-user-attribute-values": null,
		"distinct-characters": null,
		"domain-ocid": "ocid1.domain.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"groups": null,
		"id": "PasswordPolicy",

		...

		"last-name-disallowed": null,
		"lockout-duration": null,
		"max-incorrect-attempts": null,
		"max-length": 12,
		"password-expires-after": 365,
		"num-passwords-in-history": 12,
		"priority": 3,
		"required-chars": null,
		"schemas": [
			"urn:ietf:params:scim:schemas:oracle:idcs:PasswordPolicy"
		],
		"tenancy-ocid": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"user-name-disallowed": null
	},
	"etag": "abcd1234abcd1234abcd1234abcd1234",
	"opc-total-items": "-1"
}

References

Publication date Dec 8, 2025

Related OCI-IAM rules