Password strength policy and its enforcement

You can find some best practices on how to form secure and user friendly passwords in this comic: Password Strength.

The system can be configured to use a password policy, which means that new passwords entered by users are validated according to a certain set of requirements. Passwords that do not meet the specified conditions are rejected.

Configuring a password policy

To enforce a password policy on your website, enable the Use password policy setting in Settings -> Security & Membership -> Passwords. The specific rules of the policy can be configured through the remaining settings in the category:

  • Minimal length – sets the minimum number of total characters required for user passwords.

  • Number of non alphanumeric characters – sets the minimum number of non alphanumeric characters (i.e. any character except for numbers and letters) that must be present in a password in order for it to be accepted.

  • Regular expression – can be used to enter a regular expression that will be used to validate user passwords.

    • For example: ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$
    • This sample expression would require passwords to contain at least one lower case letter, upper case letter and number. The minimum amount of characters would be determined by the other policy settings.

The requirements defined by all three settings are combined together to form the final password policy.

Password policy application

The policy is applied in:

  • All parts of the administration interface where a new password can be entered. Most commonly, this includes the Users application and the My profile -> Change password tab.
  • When performing user-related actions such as password resets using Xperience membership on the live-site.

The requirements of the policy, except for the regular expression, are additionally observed when the system automatically generates new passwords. This is also the case if the Use password policy setting is disabled, so you can affect how passwords are generated even if you do not wish to set a policy for your users.

Enforcing password policy on existing users

When you introduce a password strength policy, existing users are by default allowed to keep their passwords unchanged.

To force existing users to observe the policy, enable the Force password policy on logon setting. With this setting enabled, the system checks whether a user’s password meets the policy requirements every time a user signs in to the administration interface. When the password does not meet the requirements, the user is presented with a form, which requires the user to change the existing password.

Please note that this setting only affects users signing in to the administration interface.

Password strength indicator

When changing a user password in the administration interface, it is validated in real time and its status is reflected by an indicator below the field. If a password policy is set, passwords that do not fulfill the requirements will be rejected with the Not acceptable status.

Password strength indicator

Valid passwords have a different status displayed according to their relative strength, which is calculated based on the recommended values for the total password length (12 by default) and number of non alphanumeric characters (2 by default). If a password policy is not enabled for the website, the current strength status of passwords is still shown, but only as a recommendation and all passwords are accepted.

To help users come up with an appropriate password, you can use the Policy violation message setting to specify a text message that will be displayed to users who attempt to enter a password that does not fulfill the requirements of the password policy. If left empty, a default message will be shown, informing about the minimum password length and number of non alphanumeric characters. If you wish to use a regular expression, it is recommended to describe its requirements in a custom message.

Customizing the password strength indicator

You can change the recommended values that are used to calculate the password strength by editing the code of the appropriate controls:

  • To set different values globally for the entire application, edit the code behind of the ~/CMSModules/Membership/FormControls/Passwords/PasswordStrength.ascx control and enter different numbers for the mPreferedLength and mPreferedNonAlphaNumChars variables.
  • You can also override the values for specific instances where this control is used through its PreferedLength and PreferedNonAlphaNumChars properties.
  • The appearance of individual password strength status labels may be customized through CSS styles. Each one has a different class assigned, e.g. PasswordStrengthNotAcceptable.