Password policy is not enforced on accounts created by admins. Admins can set an insecure password for new user accounts regardless of strict password policy configured.

Comments

khaldoon_masud created an issue. See original summary.

pio.fernandes’s picture

pio.fernandes CreditAttribution: pio.fernandes at Redweb commented

Hi.
By default, it will enforce the rule for the authenticated user (See line 505 in password_policy.module)
if you wish to enforce different rules, just add the role id to that line (We should not do this, as we should not hack core - see solution2) so, line 505 becomes, ex:

solution1-
$roles = array(DRUPAL_AUTHENTICATED_RID, 3);
And this will enforce the Policies with Administrator role, as by default Administrator is RoleID 3, IF you have no policies for authenticated.
If you do have policies for Authenticated, they fallback to those, on user creation time.

solution2 - If you don't to hack core, you can install version 7.2, and there you can have the new users with the same policies as admin, by default, on user creation.

AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Status: Active » Postponed (maintainer needs more info)

khaldoon_masud, some more information would be helpful for diagnosing the problem:

1. Which roles do your admins have?
2. Which roles does your strict password policy apply to? That is, when editing the password policy, which roles are checked under "Roles"?

AohRveTPV’s picture

AohRveTPV CreditAttribution: AohRveTPV commented
Status: Postponed (maintainer needs more info) » Closed (duplicate)

I think I see now: This seems to actually be a duplicate of #2833455: Admin user creation, policies not enforced for specific role. Thanks for the bug report. Please re-open if I am mistaken.