User password policies

Default policy

When creating a new local user account, or changing a local user password, a password policy is applied, checking the complexity of the password with a Regex.

  • By default, that password must have:
    • at least one lower cased letter
    • at least one upper cased letter
    • at least one digit
    • at least one special character
    • more than 8 characters long
  • The existing passwords are not affected.
  • The admin account created during the setup is not affected
  • All means of changing a user password are affected, except CSV import and DataSynchro (known limitation).
  • Admin can't bypass the policy, but they can change it.

Configuration

The default setting is not present but would look this way in Configuration file.

Configuration
$MyModuleSettings = array(
   'authent-local' => array (
      'password_validation.pattern' => '^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z]).{8,}$',
   ),
);

Change the policy

No policy at all

If you want to disable the pattern matching policy, just set an empty string.

$MyModuleSettings = array(
    'authent-local' => array(
        'password_validation.pattern' => '',
    ),
);

Custom policy

If you want to apply your own policy, just write the Regex expression which would ensure it
We suggest you to use the excellent https://regex101.com/ to test your regex.

For example let says that we want to force the password to be between 6 and 15 chars long, here is the Configuration to set:

$MyModuleSettings = array(
    'authent-local' => array(
        'password_validation.pattern' => '.{6,15}', 
        'password_validation.message' => array(
                        'FR FR' => 'Le mot de passe doit faire en 6 et 15 caractères de long',
                        'EN US' => 'Password length must be between 6 and 15 characters',
                ),
    ),
);

To set the password validation you can also use the translation key: Error:UserLocalPasswordValidator:UserPasswordPolicyRegex/ValidationFailed or use the configuration key password_validation.message:

  • the configuration key have precedence over the translation
  • it can be either a string or an array per language.
  • if you use an array, the EN US entry act as a fallback in case the user's language is not found.

Other policies

It's possible through extensions to bring other password policies.

Password renewal

Two native fields where added to the LocalUser class: expiration and password_renewed_date.

  • The password_renewed_date is automatically filled when the password change.
  • The expiration flag is useless without an extension to exploit it.
latest/admin/password-policy.txt · Last modified: 2023/07/21 10:19 (external edit)
Back to top
Contact us