Force password reset after a minimum required password strength change

I like everything about this except:

User's individual score is kept in the users table data field

Isn't that column going away? I suggest a new database table: uid | password_strength_score.

Thanks for proposing this scor! I'm in favor of it all but for the proposed authenticated users workflow. I do agree with greggles that a new separate table is best to store a user's score and set time.

I agree with problem #2 but I'm not sure the risk of it is worth the complexity costs of implementing the proposed messaging and 2 hour window solution. I anticipate that logic being somewhat complex to write as well as a further support burden for integration with other modules and workflows. How about instead we:

* have a README and documentation section on mitigating this risk, including links to relevant modules
* relevant modules could include options such as forcing all authenticated users to be logged out on new strength, and
* possible separate module that implements the messaging and window feature

1. +++ b/password_strength.install
   @@ -37,4 +37,32 @@ function password_strength_requirements($phase) {
   +  $schema['password_strength_score'] = array(
   

   I think there needs to be a hook_update to install this, right? And also to calculate scores for existing users? I'd be fine if the latter item were provided by a drush command instead of a hook_update, since it will potentially be expensive.

2. +++ b/password_strength.module
   @@ -184,9 +215,17 @@ function password_strength_form_password_submit($form, &$form_state) {
   +  // by user_saved() in user_register_submit(). This ensures that the password
   

   comment typo "user_save()" ?

Right...that makes sense about not doing it for existing passwords.

Thanks for the improvements, scor. I did a quick visual review and it looks pretty thorough :)

Tests pass and this looks really good. I just have a couple suggestions.

1. Will you please add a column for storing the date of entry in password_strength_schema()? Could be useful for quick auditing when the password was set.
2. Would you please add a drupal_alter() in password_strength_init() on paths? I know some sites have modified some of the user* paths for password changes.

3. +++ b/password_strength.module
   @@ -598,3 +649,75 @@ function password_strength_required_score($account) {
   +    // steps, so we have to invoked hook_password_strength_change() here.
   

   Minor grammer mistake: "invoke"

Edit: dreditor didn't work right, manually modified the code sections.

As @scor is busy, I've extended his patch with the requested features, so this issue won't be blocking the next release. All credits go to @scor !

Also user/logout seems to be the new default logout path, so added that to the list of allowed paths.

Want to review further but quick nitpick for coding standards:

1. +++ b/README.md
   @@ -34,4 +34,8 @@ instructions, for example using drush:
   \ No newline at end of file
   

   Bring back newline please, coding standard has ending newline https://www.drupal.org/coding-standards#indenting

2. +++ b/password_strength.install
   @@ -37,4 +37,44 @@ function password_strength_requirements($phase) {
   \ No newline at end of file
   

   Same regarding newline

Git diff should handle that notification better. The second occurence is actually not valid, that file missed the line feed before the patch. It could have added a "-" to that line.

README.md however did need a newline.

Edit: Also changed time() to REQUEST_TIME :)

Here is a manual reroll as #18 no longer applied. I'm not always good at doing that, so could someone confirm it looks good? :)