Force Password Change
Allows administrators to force users to change their passwords by role, individual user, or through password expiration policies.
force_password_change
Install
composer require 'drupal/force_password_change:^2.0'
Overview
The Force Password Change module provides comprehensive password change enforcement capabilities for Drupal sites. Administrators can force users to change their passwords through multiple methods: by role (forcing all users in a specific role), by individual user (from their profile edit page), or automatically when passwords expire after a configured time period.
The module supports both immediate enforcement (on every page load) and login-only enforcement, giving site administrators flexibility in how strictly password changes are enforced. When a password change is required, users are automatically redirected to their profile edit page where they must enter a new password before continuing to use the site.
Additionally, the module can require all new users to change their password on first login, ensuring that administrator-created accounts are secured with user-chosen passwords. Comprehensive statistics are available showing pending password changes, last force dates, and last password change dates for each user and role.
Features
- Force all users in a specific role to change their password immediately or on next login
- Force individual users to change their password from their profile edit page (user/[UID]/edit)
- Set password expiration periods by role (e.g., require password changes every 30 days, 90 days, or 1 year)
- Force all newly created users to change their password on first-time login (site-wide setting)
- Option to force first-time login password change when creating individual users
- Password change statistics on user edit pages showing pending status, last forced date, and last password change date
- Per-role status pages showing all users in the role with their password change details
- Configurable enforcement mode: check on every page load (more secure) or only on login (less overhead)
- Priority-based password expiration when users have multiple roles (highest priority role determines expiration)
- Emergency disable option via settings.php if site becomes inaccessible
- Link to force password change options added to role management operations
Use Cases
Enforcing Password Changes After Security Breach
When a security incident occurs, administrators can immediately force all users (or specific roles) to change their passwords. Navigate to /admin/config/people/force_password_change, select the 'Authenticated user' role checkbox, and submit. All users will be required to change their password on their next page load or login.
Implementing Password Expiration Policies for Compliance
Organizations requiring regular password rotation for compliance can configure password expiration. Enable 'Enable password expiration', then set time periods for each role (e.g., 90 days for regular users, 30 days for administrators). Use the weight/priority system to ensure admin roles take precedence.
Securing Administrator-Created Accounts
When creating accounts for new employees, enable 'Force password change on first-time login' to ensure the temporary password set by administrators is replaced with a user-chosen password. Alternatively, check the per-user 'Force password change on first-time login' checkbox when creating individual accounts.
Auditing Password Change Compliance
Use the role-specific status pages at /admin/config/people/force_password_change/list/{rid} to view which users have pending password changes and when each user last changed their password. This helps identify users who may not be complying with password policies.
Forcing Password Changes for Specific Users
When a specific user's credentials may have been compromised, navigate to their profile edit page (user/[UID]/edit) and check 'Force this user to change their password'. The user will be required to change their password on their next page load or login.
Tips
- Use 'On login only' mode for sites where users stay logged in for long periods and immediate password changes are not critical - this reduces performance overhead.
- Set up different expiration periods for different roles - administrators might need more frequent password changes (30 days) than regular users (90 days).
- The priority/weight system for expiration applies when a user has multiple roles - ensure your most restrictive expiration rules have the highest priority (lowest weight).
- The module integrates with the role management page at /admin/people/roles, adding 'Force password change options' to each role's operations dropdown for quick access.
- Password statistics on user edit pages help administrators verify that users are complying with password change requirements.
Technical Details
Admin Pages 2
/admin/config/people/force_password_change
Main configuration page for the Force Password Change module. Allows administrators to configure password enforcement policies, force password changes by role, and set password expiration rules.
/admin/config/people/force_password_change/list/{rid}
Displays detailed password change status for all users in a specific role. Shows two tables: users with pending password changes and users without pending changes. Includes statistics on when each user was last forced to change their password and when they last changed it.
Permissions 1
Hooks 5
hook_form_alter
Alters user-related forms to add password change functionality. Modifies the role edit form to add a 'force password change' checkbox, the user profile form to add password change controls and statistics, and the user registration form to add first-time login force option.
hook_user_login
Checks if the user should be forced to change their password when 'check on login only' mode is enabled. If a force is pending, redirects the user to their profile edit page.
hook_user_insert
Handles new user creation. If the site-wide 'force password change on first-time login' setting is enabled, flags the new user account to require a password change on their first login.
hook_user_delete
Cleans up module data when a user account is deleted. Removes the user's entry from the force_password_change_uids table.
hook_entity_type_alter
Modifies the user_role entity type to use a custom list builder class that adds 'Force password change options' to the operations dropdown on the role management page.
Troubleshooting 4
Edit settings.php and add: $config['force_password_change.settings']['enabled'] = FALSE; This temporarily disables the module functionality. After resolving the issue, remove the line to re-enable.
Check the 'Check for pending password change' setting. If set to 'On login only', users will only be prompted on their next login, not immediately. For immediate enforcement, change to 'On every page load'.
Password expiration uses a priority system based on role weight. Ensure roles are ordered correctly by dragging them in the expiry settings table. The role highest in the list takes precedence.
Ensure 'Force password change on first-time login' is enabled in the module settings. Users created before this setting was enabled or before the module was installed will not be affected.
Security Notes 4
- This module helps enforce password hygiene but does not enforce password complexity - consider combining with a password policy module.
- The emergency disable via settings.php should only be used temporarily - re-enable the module as soon as the issue is resolved.
- When forcing password changes after a suspected breach, also consider invalidating existing sessions using the Session Limit or similar modules.
- The module prevents users from reusing their current password when forced to change, but does not prevent reusing older passwords - consider additional password history controls if needed.