Improving the security of Drupal authentication

By default, Drupal has very lax password requirements for user accounts. When you create an account, Drupal will evaluate your password as “weak”, “good”, or “strong”. Depending on the password you enter, Drupal may suggest that you:

  • Make it at least 6 characters
  • Add uppercase (or lowercase) letters
  • Add numbers
  • Add punctuation

That said, by default, Drupal won’t stop you from creating a user account with a weak password.

If the only people who will need to log into your site are from your institution, investigate whether your institution has a Drupal authentication module, or instructions for how to configure a module like CAS or Shibboleth Authentication for use with your institution’s authentication system (i.e. the user ID and password you use to log into your campus email and other campus applications). Setting up user accounts that way minimizes the aspects of user account security that Drupal itself has to handle. In most cases, these institution-specific modules or configuration instructions replace the login form at /user/login with a button that will take a user to the institution’s authentication page, then return them to Drupal, logged-in, once they successfully authenticate.

If the users who need to log in are a mix of people from your local institution and elsewhere, you may opt for a mixed-authentication system (i.e. people with institutional credentials can log in that way, but people outside the institution can log in with basic Drupal authentication) or you may choose to simply go for Drupal authentication for all users.

There are numerous modules and approaches you can use to improve Drupal security:

The Password Policy module allows you to define and enforce sets of constraints on passwords. You can also use it to configure password expiration, forcing users to change their password after a certain amount of time. The Password Strength module takes a different approach, rejecting passwords that contain easily identifiable patterns, and requiring users to use a “high entropy” password, in the spirit of this xkcd comic.

You can significantly increase the security of user authentication by using the Two-factor Authentication module, which integrates with Google Authenticator or other third-party services that can generate one-time use security codes when a person attempts to log in.

The Password Reset Landing Page module improves on the password reset interface by allowing people to change their password immediately once they log in using the one-time link.

The Flood Control module allows you to configure how many failed login attempts will trigger an account to be blocked.

By default, a user logged into Drupal stays logged into Drupal until they explicitly log out. Automated Logout logs out idle sessions and Session Limit limits the number of simultaneous sessions per user (e.g. to disallow a user from being logged in on their home and work computers).