In the modern era, everyone is using internet and passwords are the most common ways to prove your identity and authenticate yourself while using websites, email accounts, social site etc. Passwords are the keys to our locks of digital lives. One important concern is that whether our password is safe from attackers. Luckily, Drupal password policy module available for Drupal assists in fortifying the Drupal sites.

Creating a Secure Password

Security is a concern in today’s fast pacing world. As much as the threat to lose our personal information worries everyone, so does the many ways to protect it. And one of the easiest and basic way to ensure is through passwords. 

First, we need to create a strong password that can’t be guessed by unauthorized personnel, sniffer, or a hacker easily.

By default, Drupal provides some guidance on How to make your password stronger, but there are no particular password policies.

Although Drupal comes with many such security modules, the one that is important for passwords is Password Policy module which provides advanced configurations to the user on password policies and allows quite complex composition rules for your password.

Module installation

Using composer is easy and good practice to install a module rather than doing it manually. To install password policy using composer, run the command

Composer require 'drupal/password_policy:^3.0'

Password policy module comes with few submodules. After downloading it, go to Extend, search ‘password policy’ module, and enable them.

Configuration Password Policy

After installing successfully, we will need to configure few things to get started.

Go to Configuration → Security  → click on Password Policy

This leads to Password Policies page where you can add new policies and force password reset to secure your password.

Click on ‘+Add policy’ to introduce new password policies.

General Info

In general info page, you can define new policy name and reset days to validate the password within given period of time.

• Policy Name: Give a name for your password policy.
• Password Reset Days: You can select the number of days allowed for a user to reset his/her password thereby making the password invalid thereafter. 0 days indicates that passwords never expire. Then click on Next.

Configure Constraints

Now you can select constraint to add and configure constraint settings for that selected constraint.

Password character Types: Select the minimum number of character types which must be found in a password. The four supported character types are given as lowercase letters, uppercase letters, digits, punctuation.

It allows the number of characters with character type(lowercase/uppercase/numeric/special character) for your password.

Consecutive characters:
Set maximum number of consecutive identical(e.g. ab/fg) character in your password.

Password History: Password history allows the user to select the number of repeated passwords. A value of 0 represents no password repetition is allowed if that is taken by other users before.

Password Character Length: You can define the number of characters that are allowed by the user in a password with minimum length and maximum length.

Password username: This is very important because, with social engineering, you can easily identify the password if it contains username with password. It will notify and prevent a user from having a password containing their username as a part of the password.

After adding the constraints, click on Next.

Apply to Roles

You are allowed to select the users on which these password policies were applied.

I have the password policies to all the user as security cannot be compromised. Now click on “Finish”.

Cheers!! You have successfully created a password policy.

Force Password Reset

This feature forces the user to reset the password after the creation of a new account. You can select role on which you want to apply the policy. You are allowed to exclude your account if it belongs to the selected role. Next, click on “Save”.

Now, let’s go to the signup page where you can check whether the password policy is correctly working or not.

Note: I have changed the default Account Setting for creating a new account. If you want to allow users to select their own passwords during registration, you must uncheck this option. (Configuration → Account Settings→ Registration and Cancellation)

Here you can see the policy with Status and Constraints. If you follow the password constraints to generate a new password, then Status will be passed otherwise it will get failed.

Conclusion

All in all, these security features make Drupal as the most security-focused CMS with top-level security policies and user access controls. That’s why governments and international organizations trust Drupal for their website. 

Contact us at [email protected] to leverage the immense security features of Drupal 8 for your site.