You are here

Home » API reference » Password Policy 6

README.txt in Password Policy 6

Same filename and directory in other branches
  1. 5 README.txt
  2. 7.2 README.txt
  3. 7 README.txt
Password policy
==========================================
This module provides a way to specify a certain level of password
complexity (aka. "password hardening") for user passwords on a
system by defining a password policy.

A password policy can be defined with a set of constraints which
must be met before a user password change will be accepted. Each
constraint has a parameter allowing for the minimum number of valid
conditions which must be met before the constraint is satisfied.

Example: an uppercase constraint (with a parameter of 2) and a
digit constraint (with a parameter of 4) means that a user password
must have at least 2 uppercase letters and at least 4 digits for it
to be accepted.

Current constraints include:

  * Digit constraint
  * Letter constraint
  * Letter/Digit constraint (Alphanumeric)
  * Length constraint
  * Uppercase constraint
  * Lowercase constraint
  * Punctuation constraint
  * Character types constraint (allows the administrator to set the minimum
    number of character types required, but without actually dictating which
    ones must be used.  Example - Windows requires any 3 (user's choice) of
    uppercase, lowercase, numbers, or punctuation.
  * History constraint (checks hashed password against a
    collection of users previous hashed passwords looking for
    recent duplicates)
  * Username constraint

The module also implements configurable password expiration features:

  * When a password is not changed for a certain amount of time the user will
    be forced to change their password on next login.
  * Optionally, the user will also be blocked upon password expiration.
  * Expiration of passwords can begin after expiration time from enabling
    the policy or immediately all users with passwords older than expiration
    time will be blocked (retroactive behavior).
  * Expiration notifications (warnings) are mailed to the users several times
    (configurable) before the password expires.
  * Warning e-mail message's subject and body are configurable.

Limitations
==========================================
Password policies only apply to passwords set via user forms in the web
interface. Passwords changed by other means (Drush, web services, etc.) will
not be subject to password policy constraints. Please see the following issue
if you would like to contribute to removing this limitation:

	https://www.drupal.org/node/2451159

Security note
==========================================
Enforcing tough policy is only good from a technical standpoint. You are 
likely to end up with a situation where the users write down their super
secure and super impossible to remember passwords. Help texts on how can
you memorize such things (like shifting a word one row up the keyboard
and so on). You should have separate company policy that deters users from
writing passwords on a Post-it on the backside of their keyboard.

Consider a company policy to use strong password generator tools like
http://supergenpass.com/ or 1Password on MacOS.

Requirements
==========================================
Drupal 6.x
MySQL 5.0.3 or something else which supports varchar > 255

Credits
==========================================
Drupal 4.7 version was written by David Ayre <drupal at ayre dot ca>
Refactored and maintained by Miglius Alaburda <miglius at gmail dot com>
Sponsored by Bryght, SPAWAR, McDean

File

README.txt
View source 
  1. 

  2. Password policy

  3. ==========================================

  4. This module provides a way to specify a certain level of password

  5. complexity (aka. "password hardening") for user passwords on a

  6. system by defining a password policy.

  7. 

  8. A password policy can be defined with a set of constraints which

  9. must be met before a user password change will be accepted. Each

  10. constraint has a parameter allowing for the minimum number of valid

  11. conditions which must be met before the constraint is satisfied.

  12. 

  13. Example: an uppercase constraint (with a parameter of 2) and a

  14. digit constraint (with a parameter of 4) means that a user password

  15. must have at least 2 uppercase letters and at least 4 digits for it

  16. to be accepted.

  17. 

  18. Current constraints include:

  19. 

  20.   * Digit constraint

  21.   * Letter constraint

  22.   * Letter/Digit constraint (Alphanumeric)

  23.   * Length constraint

  24.   * Uppercase constraint

  25.   * Lowercase constraint

  26.   * Punctuation constraint

  27.   * Character types constraint (allows the administrator to set the minimum

  28.     number of character types required, but without actually dictating which

  29.     ones must be used.  Example - Windows requires any 3 (user's choice) of

  30.     uppercase, lowercase, numbers, or punctuation.

  31.   * History constraint (checks hashed password against a

  32.     collection of users previous hashed passwords looking for

  33.     recent duplicates)

  34.   * Username constraint

  35. 

  36. The module also implements configurable password expiration features:

  37. 

  38.   * When a password is not changed for a certain amount of time the user will

  39.     be forced to change their password on next login.

  40.   * Optionally, the user will also be blocked upon password expiration.

  41.   * Expiration of passwords can begin after expiration time from enabling

  42.     the policy or immediately all users with passwords older than expiration

  43.     time will be blocked (retroactive behavior).

  44.   * Expiration notifications (warnings) are mailed to the users several times

  45.     (configurable) before the password expires.

  46.   * Warning e-mail message's subject and body are configurable.

  47. 

  48. Limitations

  49. ==========================================

  50. Password policies only apply to passwords set via user forms in the web

  51. interface. Passwords changed by other means (Drush, web services, etc.) will

  52. not be subject to password policy constraints. Please see the following issue

  53. if you would like to contribute to removing this limitation:

  54. 

  55. 	https://www.drupal.org/node/2451159

  56. 

  57. Security note

  58. ==========================================

  59. Enforcing tough policy is only good from a technical standpoint. You are 

  60. likely to end up with a situation where the users write down their super

  61. secure and super impossible to remember passwords. Help texts on how can

  62. you memorize such things (like shifting a word one row up the keyboard

  63. and so on). You should have separate company policy that deters users from

  64. writing passwords on a Post-it on the backside of their keyboard.

  65. 

  66. Consider a company policy to use strong password generator tools like

  67. http://supergenpass.com/ or 1Password on MacOS.

  68. 

  69. Requirements

  70. ==========================================

  71. Drupal 6.x

  72. MySQL 5.0.3 or something else which supports varchar > 255

  73. 

  74. Credits

  75. ==========================================

  76. Drupal 4.7 version was written by David Ayre 

  77. Refactored and maintained by Miglius Alaburda 

  78. Sponsored by Bryght, SPAWAR, McDean