This module allows administrators to force users, by role, individual user, or newly created user, to change their password on their next page load or login, and/or expire their passwords after a period of time.


  • Ability to force all users in a role to change their password
  • Ability to force individual users to reset their password from their profile edit page (user/[UID]/edit)
  • Ability to set an expiry on passwords so that if users haven't changed their password within that time period, they will be required to do so
  • Ability to force all new users to change their password on first-time login (site-wide setting for all new users)
  • Ability for admins to force individual users to change their password on first time login when creating a new user. (Note: If the global setting forcing all new users to reset their password is enabled on the module settings page, this checkbox will not appear as it is redundant)
  • Listing of stats on the user edit page (user/[UID]/edit) showing:
    • Whether the user has a pending forced password change
    • When the user last had their password forced to be changed
    • When the user last changed their password
  • Status page for each role showing:
    • Password change details by user
    • The last time at which the role was forced to change the password
    • A form to force the password change for all users in that role

D8 Port

8.x-1.0-rc1 has been released. It is a direct port of the D7 version, with no new features.

D8 roadmap

Full release will be released when there are no bug reports for the release candidate for a period of two weeks after any reported bugs have been fixed.

Feature requests will be dealt with after there is a full release, and will be added to 8.x-2.x

If your site becomes inaccessible

If your site becomes unusable or inaccessible for some reason after enabling this module, you can temporarily disable the module's password checking features using the following methods:


In the file force_password_change/src/EventSubscriber/ForcePasswordChangeEventSubscriber.php, find the following two lines, and change them from this:

$events[KernelEvents::REQUEST][] = array('checkForPasswordForce');
return $events;

To this:

//$events[KernelEvents::REQUEST][] = array('checkForPasswordForce');
//return $events;


Edit force_password_change.module, and change this:

function force_password_change_init()
	global $user;

To this:

function force_password_change_init()
	$user = new StdClass;

Make sure to change the code back when you are done (and re-test). This temporary fix prevents the module from checking to see if users should be forced to change their password or not, so if you don't change it back this module is useless.


Version 8.x-1.x: In development

Version 7.x-2.0: Fixes various bugs reported in 7.x-1.0. Adds some new features

Version 7.x-1.0: No longer supported.

Version 6: No longer supported.

Alternate Modules

The Password Reset Landing Page module forces users to use a new password when using the password recovery page. This module is complimentary to the Force Password Change module.

The Password Policy module comes bundled with the 'Password change tab' module that also provides the ability to force a password change for users. You may want to try out both modules to see which one better suits your needs.


This module has been developed by Jaypan.

Supporting organizations: 
Provided paid time to update module

Project Information