Password Policy

Module Drupal Illustration Voir sur
Nb téléchargements : 61933


  • Code
  • Documentation
  • Miscellaneous
  • User interface



permet de forcer les restrictions sur les password des utilisateurs


Status : Published
Projects : Modules
Maintenance status : Minimally maintained
Development status : Under active development
Supported Branches : 4.0.
shield Stable releases for this project are covered by the security advisory policy.


This module supports enforcing restrictions on user passwords by defining password policies.


A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.

4.0.x branch

The 4.0.x branch has Drupal 10 support along with some bug fixes. The Drupal 8 branch (8.x-3.x) is no longer supported. While the 8.x-3.x branch could have been made compatible with Drupal 10, we decided to bump the major version in order to adopt semantic versioning. Normally, a major bump only happens with major code changes or rearchitecture work, but we decided to adopt semver for simplicity going forward.


The main features of the Password Policy module are password constraints and expiration.

Password Constraints

Current constraints include:

  • Character types
  • Delay
  • Digit
  • Digit placement
  • History*
  • Length
  • Letter
  • Letter/Digit (Alphanumeric)
  • Punctuation
  • Uppercase/Lowercase
  • Username

* checks hashed password against a collection of user's previous hashed passwords looking for recent duplicates

Password Expiration and Reset

The module implements a password expiration feature where the user is forced to change their password when their old password expires. This is set on the user's account edit form.

Administrators also have a bulk password reset feature where the admin selects roles to force a password reset for users with those roles. When someone with that role logins in, they are requested to change their password.

Other Releases

7.x-2.x is a major rewrite to include several of the features most lacking from 7.x-1.x: natively exportable configurations, cleaner administrator UI, and easier implementation of your own policies in other modules. Features requests should be made against the 7.x-2.x branch instead of 7.x-1.x. Note: #2027019: Upgrade from 7.x-1.x to 7.x-2.x not possible

Given the Drupal 7 EOL in early 2025, there may not be additional work on this branch.


Password policies only apply to passwords set via user forms in the web interface. Passwords changed by other means (Drush, web services, etc.) may not be subject to password policy constraints. Please see the following issue if you would like to contribute to removing this limitation: #2451159: Password policy doesn't work when updating the user

Complementary Modules

Toutes les informations proviennent du site