OSTips – How to Force Strong Passwords in Drupal 9

One of the problems in Drupal core “out of the box” is that you can pretty much use anything you want for a password.  And while your business might have a policy against weak passwords if Drupal doesn’t enforce them, well, you know how people are. I get this question in training all the time, “How can we make users have strong passwords?” 

In this video, I want to talk about forcing strong passwords in Drupal 8 and 9. The solution is the Better Passwords module.

Keep reading to learn!

Hi and welcome to OSTips from OSTraining. My name is Rod Martin.

The Better Passwords module requires the installation of the zxcvn-php library, but if you install it with Composer, Composer will take care of that for you.  Here’s the Composer command given in the directions right below, so that’s really handy.

  • install using the Composer command
  • click Configure link

That takes you to Config >> People and passwords where you can set up:

  1. the minimum passphrase length
  2. how strong you want the passphrase to be (strongest/ strong/ moderate/ weak/ don’t check)
  3. whether to allow Auto-generate passwords for new users when added by administrators

Auto-generate is a really nice feature, and for most business Drupal sites, this is exactly how their users get added.

  • head over to People
  • click + Add user button

You’ll see that the auto-generate password is checked for me.

If I click Create new account on a real site, that password would have been sent to the user.

What does it look like when we don’t do that? Let’s add another user and find out.

I’m going to

  1. uncheck auto-generate password
  2. put in a terrible password so the strength is weak even though they match

Now, If we try and create that password, it’s going to tell us that it needs to be at least 8 characters long.  Let’s try that again with a different password that is at least 8 characters long. And that says Fair, but that I’ve used the word “Admin” three times.  It’s going say, “Sorry that’s repetitive. It’s not strong enough. 

Now let’s type in a good password: at least 8 characters long with no repitition.  We get a password strength of Strong. We even get the strength indicator in the Confirmation dialog.

All right, so that was actually pretty simple. Thanks for joining us today. My name is Rod Martin, and this has been OSTips from OSTraining.


  • Rod Martin

    Rod holds two masters degrees and has been training people how to do "things" for over 25 years. Originally from Australia, he grew up in Canada and now resides just outside Cincinnati, Ohio. He has worked in both the non-profit and for-profit worlds, in small companies and large corporations. His extensive open source experience includes WordPress, Joomla and Drupal and he really knows how to help you get the most out of the system you chose. Rod plays ice hockey a couple of times a week and rides his Goldwing motorcycle pretty much everywhere he can.

    View all posts
0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x