INTRODUCTION
------------
This module provides a way to enforce restrictions on user passwords by
defining password policies.
A password policy can be defined with a set of constraints which must be met
before a user password change will be accepted. Each constraint has a parameter
allowing for the minimum number of valid conditions which must be met before
the constraint is satisfied.
Example: An uppercase constraint (with a parameter of 2) and a digit constraint
(with a parameter of 4) means that a user password must have at least 2
uppercase letters and at least 4 digits for it to be accepted.
Current constraints include:
* Digit
* Letter
* Letter/Digit (Alphanumeric)
* Length
* Uppercase
* Lowercase
* Punctuation
* Character types (Allows the administrator to set the minimum number of
character types required, but without dictating which ones must be used.)
* History (Ensures password does not match a specified number of the user's
previous passwords.)
* Username
The module also implements configurable password expiration features:
* When a password is not changed for a certain amount of time the user will
be forced to change their password on next login.
* Optionally, the user will also be blocked upon password expiration.
* Expiration of passwords can begin after expiration time from enabling
the policy or immediately all users with passwords older than expiration
time will be blocked (retroactive behavior).
* Expiration notifications (warnings) are mailed to the users several times
(configurable) before the password expires.
* Warning e-mail message's subject and body are configurable.
REQUIREMENTS
------------
No special requirements.
INSTALLATION
------------
Install as you would normally install a contributed Drupal module. See
https://drupal.org/documentation/install/modules-themes/modules-7
for further information.
CONFIGURATION
-------------
* Configure password policies and general settings at Administration »
Configuration » People » Password policies:
- Settings
Configure behaviors of the module that will apply to all password
policies.
- List
Manage existing password policies.
- Add
Add a new password policy.
- Force Password Change
Force groups of users to change their passwords.
LIMITATIONS
-----------
* Password policies only apply to passwords set via user forms in the web
interface. Passwords changed by other means (Drush, web services, etc.) will
not be subject to password policy constraints. Please see the following issue
if you would like to contribute to removing this limitation:
https://www.drupal.org/node/2451159
* Password policies alone cannot ensure secure password practices. A
password policy can help prevent a user from choosing a weak password that
is susceptible to password guessing. However, an overly restrictive password
policy could promote insecure password practices such as writing a password
down in an insecure location, or devising an obvious password only to meet
the constraints (e.g., Abc123!).
Consider encouraging (or requiring as an organizational policy) users to use
a password manager to generate and store strong, per-site passwords:
https://en.wikipedia.org/wiki/List_of_password_managers
CREDITS
-------
Drupal 4.7 version was written by David Ayre <drupal at ayre dot ca>
Refactored and maintained by Miglius Alaburda <miglius at gmail dot com>
Sponsored by Bryght, SPAWAR, McDean, Classic Graphics, Acquia
View source
- INTRODUCTION
- ------------
-
- This module provides a way to enforce restrictions on user passwords by
- defining password policies.
-
- A password policy can be defined with a set of constraints which must be met
- before a user password change will be accepted. Each constraint has a parameter
- allowing for the minimum number of valid conditions which must be met before
- the constraint is satisfied.
-
- Example: An uppercase constraint (with a parameter of 2) and a digit constraint
- (with a parameter of 4) means that a user password must have at least 2
- uppercase letters and at least 4 digits for it to be accepted.
-
- Current constraints include:
-
- * Digit
- * Letter
- * Letter/Digit (Alphanumeric)
- * Length
- * Uppercase
- * Lowercase
- * Punctuation
- * Character types (Allows the administrator to set the minimum number of
- character types required, but without dictating which ones must be used.)
- * History (Ensures password does not match a specified number of the user's
- previous passwords.)
- * Username
-
- The module also implements configurable password expiration features:
-
- * When a password is not changed for a certain amount of time the user will
- be forced to change their password on next login.
- * Optionally, the user will also be blocked upon password expiration.
- * Expiration of passwords can begin after expiration time from enabling
- the policy or immediately all users with passwords older than expiration
- time will be blocked (retroactive behavior).
- * Expiration notifications (warnings) are mailed to the users several times
- (configurable) before the password expires.
- * Warning e-mail message's subject and body are configurable.
-
-
- REQUIREMENTS
- ------------
-
- No special requirements.
-
-
- INSTALLATION
- ------------
-
- Install as you would normally install a contributed Drupal module. See
- https://drupal.org/documentation/install/modules-themes/modules-7
- for further information.
-
-
- CONFIGURATION
- -------------
-
- * Configure password policies and general settings at Administration »
- Configuration » People » Password policies:
-
- - Settings
-
- Configure behaviors of the module that will apply to all password
- policies.
-
- - List
-
- Manage existing password policies.
-
- - Add
-
- Add a new password policy.
-
- - Force Password Change
-
- Force groups of users to change their passwords.
-
-
- LIMITATIONS
- -----------
-
- * Password policies only apply to passwords set via user forms in the web
- interface. Passwords changed by other means (Drush, web services, etc.) will
- not be subject to password policy constraints. Please see the following issue
- if you would like to contribute to removing this limitation:
- https://www.drupal.org/node/2451159
-
- * Password policies alone cannot ensure secure password practices. A
- password policy can help prevent a user from choosing a weak password that
- is susceptible to password guessing. However, an overly restrictive password
- policy could promote insecure password practices such as writing a password
- down in an insecure location, or devising an obvious password only to meet
- the constraints (e.g., Abc123!).
-
- Consider encouraging (or requiring as an organizational policy) users to use
- a password manager to generate and store strong, per-site passwords:
- https://en.wikipedia.org/wiki/List_of_password_managers
-
-
- CREDITS
- -------
- Drupal 4.7 version was written by David Ayre
- Refactored and maintained by Miglius Alaburda
- Sponsored by Bryght, SPAWAR, McDean, Classic Graphics, Acquia