INTRODUCTION ------------ This module provides a way to enforce restrictions on user passwords by defining password policies. A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied. Example: An uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted. Current constraints include: * Digit * Letter * Letter/Digit (Alphanumeric) * Length * Uppercase * Lowercase * Punctuation * Character types (Allows the administrator to set the minimum number of character types required, but without dictating which ones must be used.) * History (Ensures password does not match a specified number of the user's previous passwords.) * Username The module also implements configurable password expiration features: * When a password is not changed for a certain amount of time the user will be forced to change their password on next login. * Optionally, the user will also be blocked upon password expiration. * Expiration of passwords can begin after expiration time from enabling the policy or immediately all users with passwords older than expiration time will be blocked (retroactive behavior). * Expiration notifications (warnings) are mailed to the users several times (configurable) before the password expires. * Warning e-mail message's subject and body are configurable. REQUIREMENTS ------------ No special requirements. INSTALLATION ------------ Install as you would normally install a contributed Drupal module. See https://drupal.org/documentation/install/modules-themes/modules-7 for further information. CONFIGURATION ------------- * Configure password policies and general settings at Administration » Configuration » People » Password policies: - Settings Configure behaviors of the module that will apply to all password policies. - List Manage existing password policies. - Add Add a new password policy. - Force Password Change Force groups of users to change their passwords. LIMITATIONS ----------- * Password policies only apply to passwords set via user forms in the web interface. Passwords changed by other means (Drush, web services, etc.) will not be subject to password policy constraints. Please see the following issue if you would like to contribute to removing this limitation: https://www.drupal.org/node/2451159 * Password policies alone cannot ensure secure password practices. A password policy can help prevent a user from choosing a weak password that is susceptible to password guessing. However, an overly restrictive password policy could promote insecure password practices such as writing a password down in an insecure location, or devising an obvious password only to meet the constraints (e.g., Abc123!). Consider encouraging (or requiring as an organizational policy) users to use a password manager to generate and store strong, per-site passwords: https://en.wikipedia.org/wiki/List_of_password_managers CREDITS ------- Drupal 4.7 version was written by David Ayre Refactored and maintained by Miglius Alaburda Sponsored by Bryght, SPAWAR, McDean, Classic Graphics, Acquia