This module provides a way to enforce restrictions on user passwords by defining password policies.


A password policy can be defined with a set of constraints which must be met before a user password change will be accepted. Each constraint has a parameter allowing for the minimum number of valid conditions which must be met before the constraint is satisfied.

Example: an uppercase constraint (with a parameter of 2) and a digit constraint (with a parameter of 4) means that a user password must have at least 2 uppercase letters and at least 4 digits for it to be accepted.

8.x-3.x released

A version for Drupal 8 has been released for feedback. Constraints are now plugins. Please see the example constraints bundled as submodules to this release. Formal documentation will soon follow.


Current constraints include:

  • Character types
  • Digit
  • Letter
  • Letter/Digit (Alphanumeric)
  • Length
  • Uppercase
  • Lowercase
  • Punctuation
  • Delay
  • Username
  • Digit placement
  • History (checks hashed password against a collection of user's previous hashed passwords looking for recent duplicates)

The module also implements a password expiration feature. The user is forced to change their password and is optionally blocked when their old password expires.

Administrators can force specific users or entire roles to change their password on their next login and can make a password tab available to users instead of the usual user/#/edit page for password changes.

Other Releases

7.x-2.x is a major rewrite to include several of the features most lacking from 7.x-1.x: natively exportable configurations, cleaner administrator UI, and easier implementation of your own policies in other modules. Features requests should be made against this branch instead of 7.x-1.x. Note: #2027019: Upgrade from 7.x-1.x to 7.x-2.x not possible

Bug Bounties

$30: #2896150: Fatal error: Cannot redeclare password_policy_features_export_options()


Password policies only apply to passwords set via user forms in the web interface. Passwords changed by other means (Drush, web services, etc.) may not be subject to password policy constraints. Please see the following issue if you would like to contribute to removing this limitation: #2451159: Password policy doesn't work when updating the user

Complementary Modules

Supporting organizations: 

Project information