ALTER USER lets a SECURITYADMIN-level role reset or force-reset a Snowflake user’s password.
Change a password after employee turnover, suspected compromise, or to enforce periodic rotation. Immediate resets cut risk and satisfy compliance rules.
Only SECURITYADMIN or a custom role with the MANAGE GRANTS privilege can execute ALTER USER to set or force a new password.
Log in, switch to role SECURITYADMIN, and run ALTER USER <current_user> SET PASSWORD.Snowflake stores only salted, hashed passwords.
Core form: ALTER USER <user_name> SET PASSWORD = '<new_pwd>' [ MUST_CHANGE_PASSWORD = TRUE ]; The optional flag forces the user to choose another password at next log-in.
Yes.Append MUST_CHANGE_PASSWORD = TRUE; Snowflake prompts for a fresh password, ensuring the admin never learns the final secret.
Use randomly generated 16+ character strings, rotate service-account passwords quarterly, and audit USER_PASSWORD_CHANGE_HISTORY for success/failure events.
Query LOGIN_HISTORY or attempt a new session with the updated credentials. Always revoke unused roles after password updates.
1) Assume SECURITYADMIN. 2) ALTER USER with quoted password. 3) Optionally set MUST_CHANGE_PASSWORD. 4) Test login.5) Record ticket for audit.
.
No. Snowflake transmits the string securely and stores only salted hashes, never the clear text.
Yes, they can run `ALTER USER SET PASSWORD =` while using their current role, provided their session is authenticated with MFA or current password.
Account-level parameters `PASSWORD_MIN_LENGTH`, `PASSWORD_MIN_UPPER_CASE_CHARS`, etc., let admins define robust complexity rules.
.png)
.avif){kind=logo}
