You can specify a security policy for passwords that users must use to access the Acquia Cloud. The password security policy determines how strong (resistant to guessing) user passwords must be. When you establish a password strength policy, it applies only to users when they sign in to the Acquia Cloud — it does not apply to your Drupal websites.
How Acquia Cloud judges password strength
Acquia Cloud applies several rules to determine a password's strength, which are based on the entropy (randomness) of the sequences in the password. Use the criteria in the following table as a guide for determining your selected security policy's password strength:
|Very strong||At least eight characters, contains multiple capital letters, digits, and special characters||
|At least eight characters with some combination of words or character sequences that when used alone would be Weak
Example: Four dictionary words
|Common words with a special character||
|Strong||Eight characters, contains at least two capital letters, digits, or special characters||
|Nine characters, contains at least one capital letter, digit, or special character||
|Good||Eight characters, contains at least one capital letter, digit, or special character||
|Weak||Seven characters or less, contains common alphabet letters, but no capital letters, digits, or special characters||
|Contains dictionary words||
|Contains a common name, with leet substitutions||
How to set a password strength policy
To set a password strength policy, complete the following steps:
- Sign in to the Acquia Cloud interface with the Owner or Administrator role and select the application you want to work with.
- In the menu on the left side, click Security.
- On the Security settings page, click Edit to open the Edit security settings page.
- In the Minimum required password strength list, click the minimum required password strength, from Weak to Very strong.
- Click Save.
How to transition to stricter password policies
After you enable a password strength policy, user passwords are tested for strength when the user attempts to access the subscription. If a password fails to meet the policy, the user is not permitted access and is prompted to change the password to one that satisfies the strength requirement of the policy.
As a user types a new password, the Acquia password policy system tests and reports the password's strength. When users create a password that does not satisfy the password strength policy, they receive an error message that indicates the strictness of the website's password strength policy and lists the tests that caused the password to be judged as too weak. For example:
The following issues were detected with your password:
* It is fewer than seven characters.
* It includes a dictionary word.
The Acquia Cloud interface is also protected from brute-force attacks by the following policies that limit how many sign-in attempts can be made:
- After three failed sign-in attempts during a 30 minute timeframe from a single user and IP address, that user name (email) and IP address combination is blocked from signing in for one hour.
- After 50 failed sign-in attempts in an hour from a single IP address, that IP address is blocked from signing in for one hour.