Conceptually, Drupal wants to be a platform that offers maximum flexibility for site administrators, and many sites want to create community by allowing users to register. By default, Drupal 8 allows users to create new accounts subject to approval by site administrators. This may not be the ideal setting for sites that do not want to allow users to register. There was some discussion of changing this setting by default, but the discussion was closed in favor of a community centered approach.
Every website manager should seriously consider the security requirements for their users and how passwords should be managed.
Strong Passwords
The use of strong passwords is an important security consideration for all software, not only Drupal. Thankfully, Drupal 8 requires strong passwords by default. This means that passwords must be complex, with both uppercase characters and lowercase characters, at least one number, special characters, etc. This is not the case in Drupal 7, and the Password Policy module is a standard way to enforce strong passwords. I look forward to the completed port of Password Policy to Drupal 8 to provide more control over password policies which are constantly evolving, and because it provides additional features like password expiration.
Two Factor Authentication
The Two Factor Authentication module is a great way to lock down access to the administration. From the module description, " Drupal provides authentication via something you know -- a username and password while TFA module adds a second step of authentication with a check for something you have -- such as a code sent to (or generated by) your mobile phone." Unfortunately, the module is not yet ready for Drupal 8 as of this writing, but it is a great feature to add to your Drupal 7 site.
Flood Control
Limiting failed login attempts is an important consideration for account security, as you do not want to facilitate a brute force attack by allowing an attacker to keep trying bad passwords. Drupal has default settings that control failed login attempt frequencies. The Flood Control module provides access to variables already present in Drupal 7 and 8, but have no administrative interface. The port to Drupal 8 is still underway.
Every website manager should seriously consider the security requirements for their users and how passwords should be managed. This article talks about two Drupal features, account creation and reset password, and how to disable them in Drupal 8.
Disable Account Creation
Disabling the creation of new accounts is an administrative function. You can modify the default settings by selecting "Administrators Only" under "Registration and Cancellation".
Configuration > People > Account Settings
That's It!
Disable Password Reset
For large sites with many active users, it may be critical to allow users to change their own passwords, and Drupal provides this functionality by default. For smaller sites that would rather require the administrator more control over all passwords, there is no tool to disable the Reset your Password tab and form. In Drupal 8, this can be accomplished with a custom module class that hooks into the Routing system and subscribes to Drupal's Symfony Events.
A Custom Route Subscriber Class
The structure of the Route Subscriber is very simple, as Drupal 8 provides the RouteSubscriberBase class to extend, which already implements Symfony's EventSubscriberInterface for you, so all you need to do is define the alterRoutes method. The following assumes that you have implemented a custom module name MyModule.
/ modules / mymodule / src / EventSubscriber / RouteSubscriber.php
<?php
/**
* @file
* Contains \Drupal\mymodule\EventSubscriber\RouteSubscriber.
*/
namespace Drupal\mymodule\EventSubscriber;
use Drupal\Core\Routing\RouteSubscriberBase;
use Symfony\Component\Routing\RouteCollection;
/**
* Listens to the dynamic route events.
*/
class RouteSubscriber extends RouteSubscriberBase
{
/**
* {@inheritdoc}
*/
public function alterRoutes(RouteCollection $collection)
{
/**
* ----------------------------------------------------------------
* Deny access to '/user/password' for anonymous users
* Allow authenticated users to change their own password
* Note that the second parameter of setRequirement() is a string.
* ----------------------------------------------------------------
*/
if ($route = $collection->get('user.pass'))
{
if (!\Drupal::currentUser()->isAuthenticated())
{
$route->setRequirement('_access', 'FALSE');
}
}
}
}
Symfony Service Requirement
The class needs to be a service and implement the event_subscriber tag so it can be discovered and implemented in the Symfony event life cycle.
/ modules / mymodule / mymodule.services.yml
services:
mymodule.route_subscriber:
class: Drupal\mymodule\EventSubscriber\RouteSubscriber
tags:
- { name: event_subscriber }
How does the route change remove the tab?
The login tabs are rendered through the login block defined in Core:
/ core / modules / user / src / Plugin / Block / UserLoginBlock.php
$items['request_password'] = \Drupal::l($this->t('Reset your password'), new Url('user.pass', array(), array(
'attributes' => array(
'title' => $this->t('Send password reset instructions via email.'),
'class' => array('request-password-link'),
),
)));
Notice this passes through the \Drupal::l function, which is a static pass through alias for Core's Link class.
Access to the route is then checked, which has been altered through the RouteSubscriber.
Drupal will not render the link if the access check fails.
How can administrators send a password reset email to users?
There is no administrative interface to do this directly, but a simple way for administrators to do this is to block and then unblock a user's account. When unblocking the account, Drupal sends a "welcome back" email that allows the user to change their password.
More Reading
You can read more about enhancing Drupal security through contributed modules in this article.
Conclusion
Managing user account access is an important consideration for site managers. With a few modules and some custom code, user passwords can be locked down a little tighter. And with reset password disabled for anonymous users, there is one less security attack vector to worry about.