# Setting up user passwords
For users created in the Identity Center directory, administrators can manage password policies, handle users without initial passwords, and reset passwords when needed. These password management features apply only to users in the built-in Identity Center directory. If you're using Active Directory or an external identity provider, you must manage passwords in those systems.
**Password management options**
+ **Password requirements** – Security requirements that users must meet when setting or changing passwords. This includes complexity rules and reuse restrictions.
+ **One-time password setup** – Configure email verification for users created through API or CLI who don't have initial passwords. You can also generate temporary passwords for immediate access.
+ **Password resets** – Reset passwords for users who are locked out or need new credentials. You can send reset instructions using email or generate one-time passwords.
**Topics**
+ [Password requirements when managing identities in IAM Identity Center](password-requirements.md)
+ [Email one-time password to users created with API or CLI](userswithoutpwd.md)
+ [Reset the IAM Identity Center user password for an end user](reset-password-for-user.md)
# Password requirements when managing identities in IAM Identity Center
**Note**
These requirements apply only to users created in the Identity Center directory. If you have configured an identity source other than IAM Identity Center for authentication, such as [https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt) or an [external identity provider](confirm-identity-source.md), the password policies for your users are defined and enforced in those systems, not in IAM Identity Center. If your identity source is AWS Managed Microsoft AD, see [Manage password policies for AWS Managed Microsoft AD](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/ms_ad_password_policies.html) for more information.
When you use IAM Identity Center as your identity source, users must adhere to the following password requirements to set or change their password:
+ Passwords are case-sensitive.
+ Passwords must be between 8 and 64 characters in length.
+ Passwords must contain at least one character from each of the following four categories:
+ Lowercase letters (a-z)
+ Uppercase letters (A-Z)
+ Numbers (0-9)
+ Non-alphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/)
+ The last three passwords cannot be reused.
+ Passwords that are publicly known through a data set leaked from a third party cannot be used.
# Email one-time password to users created with API or CLI
When you create users with the [https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) API operation or the `create-user` CLI command, the users do not have passwords. You can update the settings in IAM Identity Center to send these users a verification email after their first attempt to sign in, if you’ve specified an email for the user when they were created. After receiving the verification email, the user must set a password to sign in.
If you don’t enable this setting, you must [generate a one-time password](reset-password-for-user.md) and share it with users that you create using the CreateUser API or `create-user` CLI command.
**To send an email address verification email to users created with the CreateUser API or `create-user` CLI command**
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Settings**.
1. On the **Settings** page, choose the **Authentication** tab.
1. In the **Standard authentication** section, choose ** Configure**.
1. In the **Configure standard authentication** dialog box, select the **Send email OTP** check box. Then, choose **Save**. The status updates from **Disabled** to **Enabled**.
# Reset the IAM Identity Center user password for an end user
This procedure is for administrators who need to reset the password for a user in the IAM Identity Center directory. You'll use the IAM Identity Center console to reset passwords.
**Considerations for identity providers and user types**
+ **Microsoft Active Directory or external provider** – If you are connecting IAM Identity Center to Microsoft Active Directory or an external provider, user password resets must be done from within Active Directory or the external provider. This means that passwords for those users cannot be reset from the IAM Identity Center console.
+ **Users in the IAM Identity Center directory** – If you are an IAM Identity Center user, you can reset your own IAM Identity Center password, see [Resetting your AWS access portal user password](resetpassword-accessportal.md).
**To reset a password for an IAM Identity Center end user**
**Important**
The instructions on this page apply to [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/). They do not apply to [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM). IAM Identity Center users, groups, and user credentials are different from IAM users, groups, and IAM user credentials. If you are looking for instructions on changing passwords for IAM users, see [ Managing passwords for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html) in the *AWS Identity and Access Management User Guide*.
1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).
1. Choose **Users**.
1. Select the username of the user whose password you want to reset.
1. On the user details page, choose **Reset password**.
1. In the **Reset password** dialog box, select one of the following choices, and then choose **Reset password**:
1. **Send an email to the user with instructions to reset the password** – This option automatically sends the user an email addressed from Amazon Web Services that walks them through how to reset their password.
**Warning**
As a security best practice, verify that the email address for this user is correct prior to selecting this option. If this password reset email were to be sent to an incorrect or misconfigured email address, a malicious recipient could use it to gain unauthorized access to your AWS environment.
1. **Generate a one-time password and share the password with the user** – This option provides you with the password details that you can manually send to the user from your email address.