Enforcing better passwords in Craft CMS

We all know good passwords are important. Even though we know this, most of us still choose a password that is easy to remember and often one we use on different websites.

This is not an issue as long as the password is long, secure and is being encrypted by the framework or website you're using it on. Craft CMS stores its passwords securely, but it only enforces a password length of 6 characters.

A password of 6 characters can be brute force in about 5 seconds, want to know how long your password takes? Take a look here.

Enter, Craft Password Policy

Craft Password Policy is a Craft CMS plugin that allows you to configure a policy for your website. It has most of the standard options like enforcing numbers, special characters or both upper- and lowercase characters.

The best settings to change though are the minimum password length and enabling the Pwned check.

A password of 20 characters with current computing power takes 16 billion years to crack. Just like the example of the famous XKCD comic below.


Have I been Pwned?

What I absolutely recommend is enabling the Have I Been Pwned check. This checks a huge database of passwords that have been leaked or have been found in data breaches on websites around the world. Making sure the password you're using is not in this list is a great first step for a safe password.

You can find the plugin here https://github.com/rias500/craft-password-policy or in the Craft CMS Plugin Store.