Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Drupal requires all users to have a password, including new users. In cases where administrators are creating accounts for others, this requirement seems to run counter to the following NIST recommendations: "Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment) or by the verifier (e.g., when a user requests a new PIN) SHALL be at least 6 characters in length and SHALL be generated using an approved random bit generator [SP 800-90Ar1]."
Does user_password use an approved random bit generator? Can we simply hide the password_confirm element on user register forms when admin is creating a new user? Should we give a configuration option for this?
Comments
Comment #3
dnotes commentedProvided configuration options for never generating, optionally generating (hiding fields with javascript) or always generating passwords. Still not sure if user_password uses an "approved random bit generator" per NIST.