How to implement password policies and constraints in Drupal 8
Drupal is famous for its security compared to other open source content management system. Creating password policy and password constraints are two security features where users have to follow certain conditions while creating passwords in user registration form. Here we are going to discuss about Password policy module and how we can use this module for implementing strong password policies and constraints in your Drupal user registration form. This module also provids password expiry options. So we can summarise purpose of this module and its sub modules as shown below.
- Creating Password policies
- Configuring constraints for password
- Configuring Password Expiry for each role
You can download this module from below link or you can use the composer to install.
Composer require ‘drupal/password_policy:^3.0’
Before installing password policy module , make sure you have Ctools module is installed and enabled.
Go to your module list page, under security section you can see each module and its purposes. You have to enable Password Policy module first and enable other sub modules based on your requirements.
I have enabled 7 modules and going to show how to configure each one.
Under configuration -> security , you can see password policy. Click on this redirects to the Configuration page where we can create policies for each role.
This will navigate to the page where policies are listed.
Here we are going to create a policy by click on Add Policy.
I have created a policy and set password expiry as 30 days. You can place 0 if you don’t want to expire password.
In next step we can add each constraints. Please note Policy name you can give any meaning full name , but it will be read-only after moving to next step.
In this page we can set all your constraints. You can add each constraints by selecting constraint from dropdown and click configure constraint settings button. We will discuss details of each constraints .
Password Character Types
Select the minimum number of character types which must be found in a password. The four supported character types are given as: lowercase letters, uppercase letters, digits, and special characters.
Password Character Type
this allows to set number of characters allowed with specialcharecter/lowercase/uppercase/numeric
Here for each entries in drop down you have to create constraint if you want to restrict each of them. Here I am creating constraint only for special character.
Consecutive identical characters
Select the maximum number of consecutive identical characters allowed in the password.
Number of allowed repeated passwords
A value of 0 represents no allowed repeats.
Password Character length
Set minimum and maximum character length allowed.
Prevent user from having a password containing their username.
In next step , select roles to which this Policy is applied.
Click finish you can see your password policy created.
You can verify whether all policies are working or not by going to your add user form in admin screen.
Navigate to People -> Add user
Below field showing as password expiration is quite misleading with wrong label . you can use this for forcing users to reset password. You can also hide this field from configuration->Account settings , you can this field in manage form display tab.
Below confirm password you can see status of each policy. Status shows whether your entered password passed constraints and policies.
If password expired , users are redirected to password reset form after login in with an existing password.