This module provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy.

The 7.x-2.x branch is a major rewrite to include many of the most lacking features to-date - natively exportable configurations, cleaner administrator UI, and easier to implement your own policies in other modules. All features requests should be made against this branch.


A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.


Current constraints include:

  • Complexity constraint
  • Digit constraint
  • Letter constraint
  • Letter/Digit constraint (Alphanumeric)
  • Length constraint
  • Uppercase constraint
  • Lowercase constraint
  • Punctuation constraint
  • Delay constraint
  • Username constraint
  • Digit placement constraint
  • History constraint (checks hashed password against a collection of users previous hashed passwords looking for recent duplicates)

The module also implements a password expiration feature. The user gets blocked or is forced to change his password when his old password expires.

Administrators can force specific users or entire roles to change their password on their next login and can made a password tab available to users instead of the usual user/#/edit screen for password changes.

Recommended Modules

Project Information