One of the problems in Drupal core "out of the box" is that you can pretty much use anything you want for a password. And while your business might have a policy against weak passwords if Drupal doesn't enforce them, well, you know how people are. I get this question in training all the time, "How can we make users have strong passwords?"
In this video, I want to talk about forcing strong passwords in Drupal 8 and 9. The solution is the Better Passwords module.
Keep reading to learn!
Hi and welcome to OSTips from OSTraining. My name is Rod Martin.
The Better Passwords module requires the installation of the zxcvn-php library, but if you install it with Composer, Composer will take care of that for you. Here's the Composer command given in the directions right below, so that's really handy.
- install using the Composer command
- click Configure link
That takes you to Config >> People and passwords where you can set up:
- the minimum passphrase length
- how strong you want the passphrase to be (strongest/ strong/ moderate/ weak/ don't check)
- whether to allow Auto-generate passwords for new users when added by administrators
Auto-generate is a really nice feature, and for most business Drupal sites, this is exactly how their users get added.
- head over to People
- click + Add user button
You'll see that the auto-generate password is checked for me.
If I click Create new account on a real site, that password would have been sent to the user.
What does it look like when we don't do that? Let's add another user and find out.
I'm going to
- uncheck auto-generate password
- put in a terrible password so the strength is weak even though they match
Now, If we try and create that password, it's going to tell us that it needs to be at least 8 characters long. Let's try that again with a different password that is at least 8 characters long. And that says Fair, but that I've used the word "Admin" three times. It's going say, "Sorry that's repetitive. It's not strong enough.
Now let's type in a good password: at least 8 characters long with no repitition. We get a password strength of Strong. We even get the strength indicator in the Confirmation dialog.
All right, so that was actually pretty simple. Thanks for joining us today. My name is Rod Martin, and this has been OSTips from OSTraining.