Module spotlight: Password policy

The Password Policy module (current stable versions: 7.x-1.9 and 6.x-1.9) lets you define sets of password constraints as policies and apply those policies to your Drupal users on a per-role basis. This is great for government and corporate environments with mandatory requirements for user passwords.

Password Policy can also handle password expiration and force users (either on their first login or in bulk by role) to change their password.

No announcement has been made about Drupal 8 development.

Installation and configuration

After installing and enabling the module (we like to install modules using Drush), you’ll have a new administration page at Configuration > People > Password policies (admin/config/people/password_policy).

Password Policy comes with two modules: ‘Password policy’ itself and ‘Password change tab’. Password change tab just moves the password change functions out of the user page and into its own tab which makes the action required by the user a lot more obvious.

Password expiration

You can specify the number of days that a password should be usable before it expires. Users who don’t update their password before it expires can either be blocked (requiring an administrator to unblock them) or be forced to change their password at their next login.

Make sure you configure a password expiration warning too or your users won’t know that there’s a countdown. For example, a password expiration warning value of ‘7,3,1’ will cause users to be emailed one week, three days, and one day before they are finally blocked.

The password expiration period, and when users are warned, are both set as part of the policy. But what happens to accounts when they expire is set module-wide?  (see the Password Policy ‘Settings’ tab).


You’re able to set constraints based on password length and more or less every conceivable combination of letters, numbers and punctuation. You can also specify history constraints (a new password must not match any of X previous passwords), username constraints (a new password must not contain the user’s own username), delay (the minimum number of hours before a user can change their password again) and digit placement (to prevent users sticking a different number on the end of the same password).

Enabling your policy

Your new policy will not be enabled immediately. To enable it, go to the ‘List’ tab of the Password Policy configuration pages.

Applying password policies to existing users

After you’ve enabled your new policy, go to the ‘Force password change’ tab to choose which existing user roles will be required to change their password. The next time users of those roles log in to your site they will be forced to select a new password that conforms to your policy.

Remember that history constraints will only apply to passwords set after the password policy module was enabled.

Complementary modules

Here are a few complementary modules you might find useful.

  • Password Tab is only required in the 7.x-2.x (development) branch of Password Policy, where the separate password tab functionality has been removed.
  • Login Security lets you limit the number of invalid login attempts before accounts or IP addresses are blocked.
  • Flood control exposes Drupal 7’s inbuilt flood control settings for modification.
Date posted:
28 August 2014
Authored by :
Emma Lebel