Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.This module supports enforcing restrictions on user passwords by defining password policies.
Overview
A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.
Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.
4.0.x branch
The 4.0.x branch has Drupal 10 support along with some bug fixes. The Drupal 8 branch (8.x-3.x) is no longer supported. While the 8.x-3.x branch could have been made compatible with Drupal 10, we decided to bump the major version in order to adopt semantic versioning. Normally, a major bump only happens with major code changes or rearchitecture work, but we decided to adopt semver for simplicity going forward.
Features
The main features of the Password Policy module are password constraints and expiration.
Password Constraints
Current constraints include:
- Character types
- Delay
- Digit
- Digit placement
- History*
- Length
- Letter
- Letter/Digit (Alphanumeric)
- Punctuation
- Uppercase/Lowercase
- Username
* checks hashed password against a collection of user's previous hashed passwords looking for recent duplicates
Password Expiration and Reset
The module implements a password expiration feature where the user is forced to change their password when their old password expires. This is set on the user's account edit form.
Administrators also have a bulk password reset feature where the admin selects roles to force a password reset for users with those roles. When someone with that role logins in, they are requested to change their password.
Other Releases
7.x-2.x is a major rewrite to include several of the features most lacking from 7.x-1.x: natively exportable configurations, cleaner administrator UI, and easier implementation of your own policies in other modules. Features requests should be made against the 7.x-2.x branch instead of 7.x-1.x. Note: #2027019: Upgrade from 7.x-1.x to 7.x-2.x not possible
Given the Drupal 7 EOL in early 2025, there may not be additional work on this branch.
Limitations
Password policies only apply to passwords set via user forms in the web interface. Passwords changed by other means (Drush, web services, etc.) may not be subject to password policy constraints. Please see the following issue if you would like to contribute to removing this limitation: #2451159: Password policy doesn't work when updating the user
Complementary Modules
Supporting organizations:
Project information
Minimally maintained
Maintainers monitor issues, but fast responses are not guaranteed.- Module categories: Access Control, Security
62,295 sites report using this module- Created by dayre on , updated
Drupal 10 is here!Drupal 10 is supported by the 4.0.x branch.
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
4.0.1
released 7 April 2024
released 7 April 2024
Works with Drupal: ^9.1 || ^10
✓ Recommended by the project’s maintainer.
Miscellaneous bug fixes and minor enhancements
Install:
Development version: 4.0.x-dev updated 22 Feb 2024 at 23:22 UTC
7.x-2.0-alpha8
released 17 December 2018
Works with Drupal: 7.x
Development version: 7.x-2.x-dev updated 23 Jul 2019 at 04:43 UTC
7.x-1.16
released 5 December 2018
released 5 December 2018
Works with Drupal: 7.x
✓ Recommended by the project’s maintainer.
Development version: 7.x-1.x-dev updated 21 Mar 2019 at 21:28 UTC
