How to implement password policies and constraints in Drupal 8

Drupal is famous for its security compared to other open source content management system. Creating password policy and password constraints are two security features where users have to follow certain conditions while creating passwords in user registration form. Here we are going to discuss about Password policy module  and how we can use this module for implementing strong password policies and constraints  in your Drupal  user registration form. This module also provids password expiry options. So we can summarise purpose of this module and its sub modules as shown below.

  • Creating Password policies
  • Configuring constraints for password
  • Configuring Password Expiry for each role

You can download this module from below link or you can use the composer to install.

Composer require ‘drupal/password_policy:^3.0’

Before installing password policy module , make sure you have Ctools  module is installed and enabled.

Go to your module list page, under security section  you can see each module and its purposes. You have to enable Password Policy module  first and enable other  sub modules based on your requirements.

I have enabled 7 modules and going to show how to configure  each one.

Under configuration -> security , you can see password policy. Click on this redirects to the Configuration page where we can create policies for each role.

This will navigate to the page where policies are listed.

Here we are going to create a policy by click on Add Policy.

I have created a policy and set password expiry as 30 days. You can place 0 if you don’t want to expire  password.

In next step we can add each constraints. Please note Policy name you can give any meaning full name , but it will be read-only  after moving to next step.

In this page we can set all your constraints. You can add each constraints by selecting constraint from dropdown and click configure constraint settings button. We will discuss details of each constraints .

Password Character Types

Select the minimum number of character types which must be found in a password. The four supported character types are given as: lowercase letters, uppercase letters, digits, and special characters.

Password Character Type

this allows to set number of characters allowed with specialcharecter/lowercase/uppercase/numeric

Here for each entries in drop down you have to create constraint if you  want to restrict each of them. Here I am creating constraint only for special character.

Consecutive identical characters

Select the maximum number of consecutive identical characters allowed in the password.

Password History

Number of allowed repeated passwords

A value of 0 represents no allowed repeats.

Password Character length

Set minimum and maximum character length allowed.

Password username

Prevent user from having a password containing their username.

In next step , select roles to which this Policy is applied.

Click finish you can see your password policy created.

You can verify whether  all policies are working or not by going to your add user form in admin screen.

Navigate to People -> Add user

Below field showing as password expiration is quite misleading with wrong label . you can use this for forcing users to reset password. You can also hide this field from configuration->Account settings , you can this field in manage form display tab.

Below confirm password you can see status of each policy. Status shows whether your entered password passed constraints and policies.

If password expired , users are redirected to password reset form after login in with an existing password.

Get Free E-book
Get a free Ebook on Drupal 8 -theme tutorial
I agree to have my personal information transfered to MailChimp ( more information )
if you like this article Buy me a Coffee this will be an ispiration for me to write articles like this.

You may also like...