Today is World Password Day and that makes it a great time to recall our password policies (if you are part of an organization) and the overall strength of our own passwords (as an individual).

The FTC shares some pretty basic guidelines for password security, all of which are good tips to use:

  • Make your password long, strong and complex.
  • Don’t reuse passwords used on other accounts.
  • Use multi-factor authentication, when available.
  • Consider a password manager.
  • Select security questions only you know the answer to.
  • Change passwords quickly if there is a breach.

I feel comfortable saying I follow all of these rules. I use two-factor authentication for my most important email accounts and for work-related passwords I use a highly secure encrypted password manager with multiple authentication layers. But even with these great tools, a weak password is still weak.

For Drupal 8 websites there are some great modules you can use to help automate and enforce password security. Just keep in mind that with any process you force on users you will want to balance strictness with ease of use so that you don't inadvertently trigger frustration with your userbase and inspire them to circumvent your protective measures (eg. writing down their passwords on paper, etc).

Password Policy

From the Password Policy module page:
This module provides a way to enforce restrictions on user passwords by defining password policies. A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.

Force Password Change

From the Force Password Change module page:

This module allows administrators to force users, by role, individual user, or newly created user, to change their password on their next page load or login, and/or expire their passwords after a period of time. Some sample features:

  • Ability to set an expiry on passwords so that if users haven't changed their password within that time period, they will be required to do so.
  • Ability to force all new users to change their password on first-time login (site-wide setting for all new users).
  • Status page for each role showing: Password change details by user, the last time at which the role was forced to change the password, and a form to force the password change for all users in that role.

Better Passwords

From the Better Passwords module page:

Better Passwords attempts to help users create better passwords by adhering to current recommendations from the US National Institute of Standards and Technology (NIST). This agency, part of the United States Department of Commerce, periodically publishes recommendations that have been extremely influential in determining standards for information security. The most recent recommendations on management of passwords is in NIST Special Publication 800-63B, "Digital Identity Guidelines," section, "Memorized Secret Authenticators." Drupal core already meets or exceeds many of the NIST standards for creating and maintaining safe passwords; this module aims to get the rest of the way.

Password Strength

From the Password Strength module page:

Password Strength module provides realistic password strength measurement and server-side enforcement for Drupal sites using pattern-matching and entropy calculation. Almost any type of password can be allowed so long as the password proves to be of high enough entropy.

Other password enforcement tools are simplistic: they work by checking passwords on explicit rules like character count and amount of varying character types (symbols, numbers, uppercase letters, etc). A string like “Password1” will prove acceptable to such systems but are obviously weak and easily brute-forced. Instead of checking on strict rules, Password Strength classifies the expected brute-force time for the summed entropy of common underlying patterns in the password.

* * *

So, have you taken a look at your password security yet today?