Passwords are key to user authorization and authentication in Drupal. Default password management could be considered good, but of course it can also be improved. The following module list will provide additional controls for password management in your Drupal Installation.

  • Password Strength: This module provides realistic password strength measurement and server-side enforcement for Drupal sites using pattern-matching and entropy calculation, so that administrators can restrict passwords to only be, for example, "high" strength.
  • Password Expire: Enforces password expiration. Users that do not change their passwords within the given time will have their passwords reset to a randomly generated one. It includes several notifications to the users.
  • Password Policy: Provides a way to specify a certain level of password complexity (aka. "password hardening") for user passwords on a system by defining a password policy. This module also includes a password expiration feature.
  • Salted Passwords: Drupal 7 has introduced salted passwords (an additional string is appended to the password) making them less prone to dictionary attacks, rainbow tables and other password un-hashing tools, improving the stored password protection. This module provides this functionality for 5.x and 6.x versions of Drupal.
  • Password Change Confirmation: with this module, users must enter their old password when changing the password in the user edit form, to avoid cross-site and session hijacking attacks.
  • Restrict Password Change: Restrict the password change operation using a new permission.
  • Login Security: Proactively protects the login form of submission abuses and notifies the adminstrator about password guess or bruteforce operations. Provides functionality to block users or IP addresses after a number of invalid login attempts, creating an authentication policy.