As you may remember from the fairy-tales, knowing the secret words helps you to move even the mountains and open treasure caves. The words “Open, Sesame” from "Ali Baba and the Forty Thieves” work somewhat similarly to modern website passwords. However, making passwords work perfectly is a complex art, and it is one of the touchstones of Drupal website security. Thankfully, Drupal equips you with lots of power for this, thanks both to its out-of-the box features and lots of useful modules.
Passwords: what should they be like?
At first glance, it might seem that setting complicated requirements for users’ passwords is necessary for security. However, this may sometimes work against you.
For example, forcing users to have a strict composition of letters and numbers in passwords may lead to passwords that are hard to remember and have to be saved somewhere. And asking people to change passwords too often may eventually annoy them so they end up creating weaker passwords.
In addition, you should never forget that, first of all, you need to convince people to register, which people are reluctant to do.
So what you need is a good mix of strictness and usability. This proportion largely depends on what kind of “treasures” are kept in a particular “cave” — for example, a website which involves payment processes deserves a more complicated entry control. In addition, there also are other means to enhance password security that do not require anything from users.
Let’s see how Drupal modules let you take into account all these and many more twists and turns in password policy, so you can choose what’s right for your website. The following is a blend of Drupal 7 and Drupal 8 modules, some of which are available for both versions, and some of which are in active development.
Some useful Drupal modules for working with passwords
This module lets you impose a set of requirements on passwords created by users. They include: length, digits, case, punctuation and more. You can set what kind of characters, and in what amount, have to be used in a password. The module also offers a password expiration feature. In the Drupal 7 version, there is a basic blacklist functionality, where you can add the most common words from the dictionary to prevent their use and avoid weak passwords. In Drupal 8, this feature is coming soon.
If your website requires it, add an additional lock to the doors by implementing security questions during the login and password reset procedures. This module will help you do it in a flexible way, using a number of configurable options.
What if you need more than one lock? Here is a double lock. The TFA module adds an additional step to the authentication procedure. This may include one-time passwords, codes sent by SMS, or pre-generated codes, as well as integration with third-party services (Authy, Duo etc.). The module encrypts sensitive data with the use of the PHP mcrypt library.
Do you not need any special locks? If you find it justifiably unnecessary for your website (and if you have thought twice), you can disable the password strength check and let your users feel more at ease when creating passwords. In this case, usability takes the lead.
People appreciate the convenience of using an all-in-one login. Here is a module that lets users sign up and sign in to your site using their accounts on social networks. The list includes Facebook, LinkedIn, Twitter, Amazon, Disqus, Pinterest, Instagram, Foursquare and more — 30+ in total.
If a user makes a typo while providing an email address in the signup form it can cause problems, because are not going to get confirmation or other emails. Luckily, there is a module that checks whether the address really exists, first on the domain level, and then on the actual username level.
Be protected by the power of HTTPS. If your website is available via both HTTP and HTTPS, the Secure Login module makes sure your user logination forms (or other pages) are transmitted via HTTPS, so their passwords are hidden from prying eyes.
You can limit the number of login attempts using a convenient admin interface provided by the Flood control module.
Enhance the login attempt limitation by blocking out the sources of suspicious requests. This module, which provides an automated firewall tool, is ready to help you.
When hackers know the usernames of website’s users, they can attempt brute-force attacks. The Username Enumeration Prevention module makes it more difficult for them to find these usernames.
These are just some of the great modules dealing with passwords in Drupal. Good luck in using them in the best way for your website!
And we can enhance your luck, or transform it into a 100% positive outcome — all you need is to contact our cool drupalers who are ready to help in any website optimization issue.