{
  "id": "rotate-passwords",
  "title": "Rotate passwords",
  "url": "https://redis.io/docs/latest/operate/rs/7.8/security/access-control/manage-passwords/rotate-passwords/",
  "summary": "Rotate user passwords.",
  "content": "\nRedis Enterprise Software lets you implement password rotation policies using the [REST API]().\n\nYou can add a new password for a database user without immediately invalidating the old one to prevent possible authentication errors in production.\n\n\nPassword rotation does not work for the default user. [Add additional users]() to enable password rotation.\n\n\n## Password rotation policies\n\nFor user access to the Redis Enterprise Software Cluster Manager UI,\nyou can set a [password expiration policy]() to prompt the user to change their password.\n\nHowever, for database connections that rely on password authentication,\nyou need to allow for authentication with the existing password while you roll out the new password to your systems.\n\nWith the Redis Enterprise Software REST API, you can add additional passwords to your user account for authentication to the database or the Cluster Manager UI and API.\n\nAfter the old password is replaced in the database connections, you can delete the old password to finish the password rotation process.\n\n\nMultiple passwords are only supported using the REST API.\nIf you reset the password for a user in the Cluster Manager UI,\nthe new password replaces all other passwords for that user.\n\n\nThe new password cannot already exist as a password for the user and must meet the [password complexity]() requirements, if enabled.\n\n## Rotate password\n\nTo rotate passwords:\n\n1. Add an additional password to a user's password list with [`POST /v1/users/password`]().\n\n    ```sh\n    POST https://\u003chost\u003e:\u003cport\u003e/v1/users/password\n    {\n        \"username\": \"\u003ctarget_username\u003e\",\n        \"new_password\": \"\u003ca_new_password\u003e\"\n    }\n    ```\n\n    After you send this request, the user can authenticate with both the old and the new password.\n\n1. Update the password in all database connections that connect with the user account.\n1. Delete the original password with [`DELETE /v1/users/password`]():\n\n    ```sh\n    DELETE https://\u003chost\u003e:\u003cport\u003e/v1/users/password\n    {\n        \"username\": \"\u003ctarget_username\u003e\",\n        \"old_password\": \"\u003cexisting_password_to_delete\u003e\"\n    }\n    ```\n\n    If there is only one valid password for a user account, you cannot delete that password.\n\n## Replace all passwords\n\nYou can also replace all existing passwords for a user account with a single password that does not match any existing passwords.\nThis can be helpful if you suspect that your passwords are compromised and you want to quickly resecure the account.\n\nTo replace a user's passwords, use [`PUT /v1/users/password`]().\n\n```sh\nPUT https://\u003chost\u003e:\u003cport\u003e/v1/users/password\n{\n    \"username\": \"\u003ctarget_username\u003e\",\n    \"new_password\": \"\u003ca_new_password\u003e\"\n}\n```\n\nAfter this request, all of the user's existing passwords are deleted and only the new password is valid.\n",
  "tags": ["docs","operate","rs"],
  "last_updated": "2026-04-01T08:10:08-05:00"
}