How to apply Password Policy to user logins

Once you have Password Policies feature turned on and the password quality requirements set, all users roles (including Security Admin) must meet those requirements - there's no exceptions whatsoever. Otherwise, they will not be able to login. 

How to apply Password Policy to user logins

To explain this, best is to use an example. 

Example

Your main Password Policy settings (password quality requirements) are:

  • Minimum Password Length - "15"
  • Minimum Password Strength - "Strong"
  • Apply Password Policies To Existing Users and Their Passwords - "Enable"

These settings mean that, if any existing user or a new user set their new password with length less than " 15" and strength less then "strong", they will not be able to login.

The above password quality requirements will be applied when i.e.:

  • Super Admin tries to update his own existing password
  • Super Admin tries to update other users' existing passwords
  • Super Admin tries to add a new user and set their password
  • Other user (i.e. Editor, Subscriber....) tries to update their existing passwords

What happens when a user tries to set a new password that doesn't meet the requirements

Example 1 - does not meet minimum length

If a user tries to update their own existing password through their profile page by setting a weak and short password and check the checkbox to confirm:

Password update will be blocked and the warning will be displayed on the top of the user's profile page, for example:

User should set a new password that must meet the requirements. 

Example 2 - does not meet minimum strength

User tries to set medium level password strength:

New password will be blocked:

When a user tries to login with that password anyway, WP login form will display an error - incorrect password and the Shield offense will be triggered. 

Important: If you have Login Cooldown Interval and  Auto IP Blacklist set, unsuccessful login attempts may lock you out or you can get blacklisted. If that happens, please follow the guide outlined in the article here.

What user should do to successfully login

As user is not able to login with their new password, they will need to reset it - simply click "Lost your password?", and follow the instructions received by email.

So, user will be prompted to reset, create a new password. If their new password does not meet the password quality requirements set (see above), the following warning might display within WP login form:

Note: Only new password that meets the requirements will be accepted. 

Once the user's new updated/created password meets the requirements (see the settings above), they will be able to update it/login.

Same applies to expired passwords. Users will be forced to reset their passwords after the number of days specified. Example:

Conclusion

Shield's Password Policies feature provides a very powerful security protection for you and your site users - all users will be enforced to meet the password quality requirements set by Security Administrator.

This feature is created for those that need to take their Security to the next level, and is highly recommended. 

To learn how to enable and use Shield's Password Policies feature, please read the article here.

For more information on Password Policy and the password quality importance, please read the blog article here.