How to Implement a Custom Password Policy in Drupal

How do you strike a balance between an “unbeatable”, yet cumbersome password policy and user convenience on your Drupal website? Moreover: how do you implement a CUSTOM password policy in Drupal? One that should meet your (or your client's) website's particular needs of security or its specific needs of user-friendliness? Well, you put together Drupal's security-oriented pre-built features and those specific Drupal modules that best fit your site's needs and you tailor your own password policy! And speaking of these modules, that will grant you a custom-made password policy, let me share with your my top 7 favorites ones!

And before I go ahead with my list, allow me to emphasize 2 key aspects that you shouldn't underestimate once you start putting together your password policy:

  1. A submission platform, where users can upload funny videos and interesting pics, asks for a totally different security system than an e-commerce Drupal site where clients need to enter their credit card details. I know this is a “no-brainer” and yet, I still felt like stressing this out.

    In other words: No need to “bug” all those users willing to simply put videos with their cute kittens up on your Drupal site with an overly complex password policy. And you definitely want to avoid customers using their cards on your website to come up with “1234” type of passwords when registering themselves in, right?

     
  2. A too laborious password policy will only have a counter-effect instead: users will end up entering weaker passwords than if you hadn't asked them to change their passwords on a... weekly basis (just a random example).

Now that we've settled these two issues straight, let us dive into the list of useful Drupal modules that I've prepared for you:

 

1. Password Strength 

A highly helpful module precisely for those cases that I aforementioned, when it's crucial that you avoid having users opt for “123” type of passwords. 

Now unlike other modules “promising” you to assist you in your endeavors to enforce the usage of “unbreakable” passwords on your Drupal site, the Password Strength module operates “by the laws of entropy”!

That's right, it doesn't follow the “at least one capital letter... at least 1 special character... at least 1 digit...” conventional checklist (which would still allow users to go for a “password@123” type of... password), but it runs its own entropy calculation. It checks whether:

  • common words, “traceable” in any dictionary, have been used as passwords

     
  • or dates

     
  • or “clusters” of three (or more) characters (“bbb”).

     

A clever approach to password-strengthening, don't you think? 

 

2. Drupal Password Policy

Now this is The “one size fits all” type of module when it comes to setting up a custom password policy in Drupal!

Regardless of your site's nature, of its specific security needs, this is the module that shouldn't miss from your security strategy!

Practically it gives you full control over defining the whole set of constraints that you'll control users' decisions through, ensuring that they set up strong passwords only. You'll be the one setting up the whole “infrastructure” of restrictions: length, unique characters, punctuation, digits, capitalization etc.

And there's more! The module features a much needed expiration functionality, too! Users will either change their passwords at regular intervals or they're denied access to their own user accounts.

And when it comes to this module's particularities, applying only to specific versions of Drupal, you should know that:

  1. in Drupal 7 you're given a “blacklist” that you get to fill in with common dictionary words of your choice, the ones that would make users' passwords way too vulnerable

     
  2. in Drupal 8 “password constraints” get added via a plugin system; basically other modules, too, can add on extra functionality to this one here, making it an even more effective restrictions-enforcing tool.

     

3. Username Enumeration Prevention

A user login functionality on a website is pretty much like an “invitation” sent out to all the hackers out there! All they need is your registered users' usernames for infiltrating into your Drupal site.

Now this is precisely what this module here does: it makes their “mission” of finding these usernames discouragingly difficult!

How? It simply disables that standard “request new password” message that a potential hacker could use as a sure access inside your website! This way, he/she can't discover, via that standard message status, whether a username exists or not. A more than useful module to enhance your password policy in Drupal with, don't you think?

Now this is what I call a “cunning” Drupal-like security system!

 

4. Two-Factor Authentication (TFA)

Check and double check!” This is how we could refer this module's functionality to.

It adds an extra step for the user to take during his/her authentication process. And this additional step could be:

  • a one time code that users receive via sms

     
  • a one-time password 

     
  • a pre-generated code

     
  • third-party services integration

     

Note: when it comes to encrypting sensitive data, it's a PHP mcrypt library that this module uses. Not a negligible little “detail”, right?

 

5. Secure Login: A Touchstone of Your Password Policy in Drupal

Turn HTTPS into your most powerful ally with this Drupal module here! 

It will ensure that your website users login forms will get transmitted via HTTPS (if both ways, the HTTP and the HTTPS one, are available on your website). This way, their passwords will be inaccessible to the nosy ones.

 

6. Flood Control

Being an alternative for the Login Security module (a lighter one instead) what Flood Control does is limit the number of login attempts. It makes it all so very convenient for you thanks to an admin interface that the module provides you with.

No more “suspiciously” numerous login attempts!

 

7. Email Verify: A Key Module for Your Custom Password Policy in Drupal

Take this scenario for instance: a user tries to get himself/herself registered on your Drupal site and makes a typo when entering his email.

And here's the solution to this “situation”: the Email Verify module runs the proper check-ups (it checks the domain, next the user's username, too) to discover whether a user's email, entered on your website, is a real one or not. Whether that email exists!

And this is how my own list of top useful modules for putting together a custom password policy in Drupal looks like! Do you have any other modules (which aren't listed here) that you rely on regularly in your work, as a Drupal developer, for adding extra functionalities to the out-of-the-box security systems on the websites that you build?