Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Misleading error during 90-day password rotation: "old password incorrect" when new password fails policy

-1

When signing in to AWS and being prompted to change an expired (or expiring) password due to the account's password rotation policy, the password change form returns the following error if the new password does not meet the account password policy:

"Your authentication information is incorrect. Please check your old password."

This error is misleading. The old password is correct — it was just used successfully to authenticate moments earlier on the same screen. The actual problem is that the new password fails one or more password policy requirements (e.g., minimum length, character classes, reuse prevention). Steps to reproduce:

Account has a strict password policy (e.g., min length 16, uppercase + lowercase + number + symbol, 90-day rotation, prevent reuse of last 5 passwords). IAM user signs in with their current password after the rotation period has elapsed. AWS prompts the user to set a new password, asking for the old password and a new password. User enters the correct old password and a new password that does not meet the policy (e.g., too short, missing a character class, or matches a recently used password). Form returns: "Your authentication information is incorrect. Please check your old password."

Expected behavior: The error should clearly state that the new password does not meet the account password policy, ideally specifying which requirement failed (length, character class, symbol set, reuse history, etc.). Actual behavior: The error blames the old password — even though it was just accepted by the same login flow seconds earlier. This sends users down a long debugging path, suspecting copy-paste issues, browser autofill, expired credentials, or admin-side problems, when the actual issue is purely on the new-password validation. Impact: This has been reported in various forms across re:Post and other forums for several years. It costs user time on every password rotation cycle and undermines trust in the error messaging during a security-sensitive flow. The fact that the old password was just used to authenticate makes the error particularly nonsensical. Request: Please update the validation logic on the password change form to surface a policy-specific error when the new password fails policy, distinct from old-password authentication failures. Ideally, the error should also indicate which specific policy requirement was not met.

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
asked 15 days ago42 views
1 Answer
0

Thank you for the detailed feedback about the misleading error message during password rotation. You've identified a genuine usability issue in the IAM password change flow that can cause confusion for users.

You're correct that AWS account password policies can enforce various requirements including minimum password length (with a default of 14 characters), character complexity requirements (uppercase, lowercase, numbers, and symbols), password reuse prevention (preventing reuse of a configurable number of previous passwords, with a default of 24), and maximum password age (with a default of 90 days).

When a user's password expires or is approaching expiration and they're prompted to change it, the system should clearly distinguish between authentication failures (incorrect old password) and policy validation failures (new password doesn't meet requirements). The current error message you're experiencing - which suggests the old password is incorrect when it was just successfully used for authentication - is indeed misleading and creates unnecessary troubleshooting burden.

While I can confirm that AWS password policies support all the requirements you mentioned (minimum length, character class requirements, reuse prevention, and expiration periods), I cannot directly address product feature requests or confirm planned changes to error messaging in the AWS Console.

For issues like this that affect the user experience of AWS services, I'd recommend:

  1. Submitting feedback through the AWS Console feedback mechanism
  2. Working with AWS Support to file a feature request
  3. Engaging with your AWS account team if you have one

Your detailed reproduction steps and clear explanation of the expected versus actual behavior make this excellent feedback for the service team. The distinction between authentication errors and policy validation errors is an important one, especially during security-sensitive operations like password changes, and clearer error messaging would benefit all IAM users subject to password policies.
Sources
iam-password-policy - AWS Config
get_account_password_policy - Boto3 1.42.50 documentation

answered 15 days ago
EXPERT
reviewed 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content