You are here

Home » API reference » Password Policy 7

README.txt in Password Policy 7

Same filename and directory in other branches
  1. 5 README.txt
  2. 6 README.txt
  3. 7.2 README.txt
INTRODUCTION
------------

This module provides a way to enforce restrictions on user passwords by
defining password policies.

A password policy can be defined with a set of constraints which must be met
before a user password change will be accepted. Each constraint has a parameter
allowing for the minimum number of valid conditions which must be met before
the constraint is satisfied.

Example: An uppercase constraint (with a parameter of 2) and a digit constraint
(with a parameter of 4) means that a user password must have at least 2
uppercase letters and at least 4 digits for it to be accepted.

Current constraints include:

 * Digit
 * Letter
 * Letter/Digit (Alphanumeric)
 * Length
 * Uppercase
 * Lowercase
 * Punctuation
 * Character types (Allows the administrator to set the minimum number of
   character types required, but without dictating which ones must be used.)
 * History (Ensures password does not match a specified number of the user's
   previous passwords.)
 * Username

The module also implements configurable password expiration features:

 * When a password is not changed for a certain amount of time the user will
   be forced to change their password on next login.
 * Optionally, the user will also be blocked upon password expiration.
 * Expiration of passwords can begin after expiration time from enabling
   the policy or immediately all users with passwords older than expiration
   time will be blocked (retroactive behavior).
 * Expiration notifications (warnings) are mailed to the users several times
   (configurable) before the password expires.
 * Warning e-mail message's subject and body are configurable.


REQUIREMENTS
------------

No special requirements.


INSTALLATION
------------

Install as you would normally install a contributed Drupal module. See
https://drupal.org/documentation/install/modules-themes/modules-7
for further information.


CONFIGURATION
-------------

* Configure password policies and general settings at Administration »
  Configuration » People » Password policies:

   - Settings

     Configure behaviors of the module that will apply to all password
     policies.

   - List

     Manage existing password policies.

   - Add

     Add a new password policy.

   - Force Password Change

     Force groups of users to change their passwords.


LIMITATIONS
-----------

 * Password policies only apply to passwords set via user forms in the web
   interface. Passwords changed by other means (Drush, web services, etc.) will
   not be subject to password policy constraints. Please see the following issue
   if you would like to contribute to removing this limitation:
     https://www.drupal.org/node/2451159

 * Password policies alone cannot ensure secure password practices. A
   password policy can help prevent a user from choosing a weak password that
   is susceptible to password guessing. However, an overly restrictive password
   policy could promote insecure password practices such as writing a password
   down in an insecure location, or devising an obvious password only to meet
   the constraints (e.g., Abc123!).

   Consider encouraging (or requiring as an organizational policy) users to use
   a password manager to generate and store strong, per-site passwords:
     https://en.wikipedia.org/wiki/List_of_password_managers


CREDITS
-------
Drupal 4.7 version was written by David Ayre <drupal at ayre dot ca>
Refactored and maintained by Miglius Alaburda <miglius at gmail dot com>
Sponsored by Bryght, SPAWAR, McDean, Classic Graphics, Acquia

File

README.txt
View source 
  1. INTRODUCTION

  2. ------------

  3. 

  4. This module provides a way to enforce restrictions on user passwords by

  5. defining password policies.

  6. 

  7. A password policy can be defined with a set of constraints which must be met

  8. before a user password change will be accepted. Each constraint has a parameter

  9. allowing for the minimum number of valid conditions which must be met before

  10. the constraint is satisfied.

  11. 

  12. Example: An uppercase constraint (with a parameter of 2) and a digit constraint

  13. (with a parameter of 4) means that a user password must have at least 2

  14. uppercase letters and at least 4 digits for it to be accepted.

  15. 

  16. Current constraints include:

  17. 

  18.  * Digit

  19.  * Letter

  20.  * Letter/Digit (Alphanumeric)

  21.  * Length

  22.  * Uppercase

  23.  * Lowercase

  24.  * Punctuation

  25.  * Character types (Allows the administrator to set the minimum number of

  26.    character types required, but without dictating which ones must be used.)

  27.  * History (Ensures password does not match a specified number of the user's

  28.    previous passwords.)

  29.  * Username

  30. 

  31. The module also implements configurable password expiration features:

  32. 

  33.  * When a password is not changed for a certain amount of time the user will

  34.    be forced to change their password on next login.

  35.  * Optionally, the user will also be blocked upon password expiration.

  36.  * Expiration of passwords can begin after expiration time from enabling

  37.    the policy or immediately all users with passwords older than expiration

  38.    time will be blocked (retroactive behavior).

  39.  * Expiration notifications (warnings) are mailed to the users several times

  40.    (configurable) before the password expires.

  41.  * Warning e-mail message's subject and body are configurable.

  42. 

  43. 

  44. REQUIREMENTS

  45. ------------

  46. 

  47. No special requirements.

  48. 

  49. 

  50. INSTALLATION

  51. ------------

  52. 

  53. Install as you would normally install a contributed Drupal module. See

  54. https://drupal.org/documentation/install/modules-themes/modules-7

  55. for further information.

  56. 

  57. 

  58. CONFIGURATION

  59. -------------

  60. 

  61. * Configure password policies and general settings at Administration »

  62.   Configuration » People » Password policies:

  63. 

  64.    - Settings

  65. 

  66.      Configure behaviors of the module that will apply to all password

  67.      policies.

  68. 

  69.    - List

  70. 

  71.      Manage existing password policies.

  72. 

  73.    - Add

  74. 

  75.      Add a new password policy.

  76. 

  77.    - Force Password Change

  78. 

  79.      Force groups of users to change their passwords.

  80. 

  81. 

  82. LIMITATIONS

  83. -----------

  84. 

  85.  * Password policies only apply to passwords set via user forms in the web

  86.    interface. Passwords changed by other means (Drush, web services, etc.) will

  87.    not be subject to password policy constraints. Please see the following issue

  88.    if you would like to contribute to removing this limitation:

  89.      https://www.drupal.org/node/2451159

  90. 

  91.  * Password policies alone cannot ensure secure password practices. A

  92.    password policy can help prevent a user from choosing a weak password that

  93.    is susceptible to password guessing. However, an overly restrictive password

  94.    policy could promote insecure password practices such as writing a password

  95.    down in an insecure location, or devising an obvious password only to meet

  96.    the constraints (e.g., Abc123!).

  97. 

  98.    Consider encouraging (or requiring as an organizational policy) users to use

  99.    a password manager to generate and store strong, per-site passwords:

  100.      https://en.wikipedia.org/wiki/List_of_password_managers

  101. 

  102. 

  103. CREDITS

  104. -------

  105. Drupal 4.7 version was written by David Ayre 

  106. Refactored and maintained by Miglius Alaburda 

  107. Sponsored by Bryght, SPAWAR, McDean, Classic Graphics, Acquia