Feeds

Author

Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough
Jun 08 2021
Jun 08

Website’s security is never (and should never be) an afterthought. A breached website does not just cause a loss in revenue but also in reputation. A secure website is one that has been developed keeping in mind different ways it could be broken into.

For this, we must ensure that the security checklist is handled before the launch and also after the launch of the site. One of the most important steps to ensure a secure Drupal website is to make certain that users have and maintain strong password policies. Out of the box, Drupal does not enforce a strong password policy. By default, you can choose to set easy (and weak passwords). But this behavior is not recommended especially for users who have content administration and other higher privilege permissions.

And that’s where the Drupal Password Policy module shines. It enables site admins to set strong password policies and enforce restrictions to a website. The Password policy module is a contributed Drupal module that is compatible with Drupal 9 as well.

Password Policy Module

Installing the Password Policy Module

Step 1: Install the Password Policy module using composer or download from here.

$ composer require 'drupal/password_policy:^[email protected]'

Note: Before installing the password policy module, make sure you have installed and enabled the Ctools module.

Step 2: Enable the downloaded module using drush or Drupal UI.

Through the Drupal UI, head to the module listing page. Under the Security tab, you will find the password policy module with submodules. Enable the first Password Policy module and then the submodules as per your requirement.

Security

Configuration

To configure your recently installed and enabled Password policy module, go to Configuration → Security → Password Policy. Here you will add password policies for various roles with different constraints as per your requirement.

Password Reset

Now give a Policy name and set password reset days. If you don't want to the password to expire, set the Password reset days as 0 days.

General Info

After this, you can add constraints and configure it through the Constraints settings tab. Note that the submodule that you added in security modules listing will list in the Constraints dropdown.

Configure Constraints

Let’s implement this with an example for better understanding. I need to add a password policy for an author role that enforces that the password must contain a minimum of 3 characters from the subsequent character types: lowercase letters, uppercase letters, digits, special characters, a minimum of 1 special character and the password length must be a minimum of 8 characters.

Character TypeNumber of CharacterMaximum LengthPolicy Constraints

Once you have configured the above constraints, apply it to the author role.

Apply to Roles

Click on the Finish button to create your new password policy. You have now successfully created a password policy for the author role.

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web